cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
0
Helpful
4
Replies

ASA to Checkpoint

diccondupre
Level 1
Level 1

Hi there, we have an ASA 5510 and have a VPN to a 3rd party who use a Checkpoint R62 Secure Platform with 4.1 Nokia IPSO and there are a few problems with the VPN establishment.

We know there are lifetime differences and have set according the 3rd parties specifications, we have had issues in the past with Checkpoint devices but with this one we quite often see the tunnel come up, traffic passes from our network to their with response back but they cannot access our network.

Are there any Cisco documents about compatability issues or similar? In terms of config changes we are pretty certain ours is fine as the VPN eventually stabilises and they can send traffic too so the lifetimes and all other authentication and encryption should be ok.

TIA!

4 Replies 4

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

Have you checked this http://www.cisco.com/warp/public/707/pix-checkpt.html

CheckPoint has the best logging of all the firewall in the world. Have you ask the CheckPoint firewall admin to check their logs?

Regards,

Dandy

Thanks for the link Dandy, our side of the config is basically the same with obvious changes for being ASA, as far as their side they are a financial house and are unwilling to offer any information to us. I will re-query them but if anyone else has any useful information that would be cool.

brownr
Level 1
Level 1

Make sure the network definitions (ie subnet masks) for your encryption domain and that of the Check Point gateway match exactly. If they are not defined the same, Check Point will often fail phase 2 for outbound traffic, while inbound traffic at the CP gateway will work fine.

Cheers!

Ron

Just wanted to reiterate this...key word here is *exactly*. We tried this last week and found out that if the Checkpoint is set to summarize some subets (for example 192.168.0.0/23) and the ASA is set for 192.168.0.0/24 and 192.168.1.0/24, the tunnel will come up and work for a couple hours before dropping and not coming back. Having them exactly the same on both ends fixed everything.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: