cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5905
Views
0
Helpful
2
Replies

Cisco and Checkpoint - no proposal chosen

richi3161
Level 1
Level 1

Hi,

we had a working IPSEC VPN between IOS Router and Checkpoint FW. Now, after adding host entries to the ACL we got "no proposal chosen".

My question:

=> Can we use more than one entry in a ACL attached to crypto map? <=

Like this for example:

access-list 125 permit ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.14.6.243

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.50.50.4

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

...

Greetings Richi

1 Accepted Solution

Accepted Solutions

pjhenriqs
Level 1
Level 1

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

View solution in original post

2 Replies 2

pjhenriqs
Level 1
Level 1

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

We found a solution / workaround:

The order of the Cisco ACL was clear, but not from Checkpoint side. So we built up the new encryption domains step by step.

=> after every entry (same network / host object, of course symmetric) we checked the IPSec tunnel

Now are all entries done and tunnel is still active.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: