04-17-2008 06:44 PM
I work with another company with whom we've established a site-to-site vpn. They are moving to a new office. They've acquired new equipment so that we now have tunnels connecting to both locations from my site. At the new site, some of the addresses on my side are unaccessible to them. Connectivity in every other way is just fine. I use the same network object-group for my addresses for both tunnels. No ip addresses overlap.
I'm running PIX 6.3(5). Their old office uses a PIX (version unknown) and their new office uses a brand new Checkpoint NGX R65 module. Has anyone run into this before?
04-17-2008 07:04 PM
"Has anyone run into this before?"
Yes, many times in my career. I am very
suprised to find that how little about
Checkpoint Firewall/VPN product that Cisco
folks in this forum know.
What you experience is very common for VPN
between Cisco and Checkpoint. Checkpoint is
famous for suppernetting network behind the
checkpoint firewalls. There are several
workarounds:
1- make the network on the Pix matches with
the network on the checkpoint side. For
example, if checkpoint has two /24 nets,
combine it into a /23 and do the same thing
on the Pix side,
2- modify the $FWDIR/lib/user.def file, in
addition to the IKE_largest_possible_subnet
modification from "true" to "false"
3- change the vpn community from per subnet,
which is the default, to "per host",
Since this is NGx R65, method #3 is the
easiest workaround,
Good luck to you!!!
04-18-2008 09:20 AM
Thanks for the quick reply. I spoke with the folks on the other side and sent them a little "ping" script to help document what was actually working. In both locations there are hosts that don't respond to them however, at the new location the ratio of response/no response is about 50%. Perhaps in the few hosts that don't respond to both locations it is a local host configuration issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: