Site to Site vpn configuring on ASA5510 and CHECK POINT.

Unanswered Question
May 1st, 2010
User Badges:


  I am trying to establish a site to site vpn tunnel between cisco asa5510 and check point.

               when i  configured all configuration of checkpoint and asa5510 the tunnel is not  established.   

                and at as5510 it shows some error message pls check the attached file for configuration and sh commands.    

                        kindly help me in solving this issues.

                          Thankx a lot in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sat, 05/01/2010 - 18:20
User Badges:
  • Cisco Employee,

From the "show crypto isa sa" output, the status is MM_Active, which means phase 1 is UP.

Debug output doesn't really provide much information for phase 2. You might want to try to collect "debug crypto ipsec" output, and make sure that you can see the full debug output, and also grab the "show crypto ipsec sa" output.

From configuration, I notice a few things:

1) ACL 115, you do not need the second line "access-list 115 extended deny ip any", please remove it.

2) The outside interface of the ASA is private ip address, therefore, I assume that you are doing NATing in front of the ASA. Can you please confirm whether it is static 1:1 NAT. Phase 2 normally uses ESP (protocol), and it is not a TCP or UDP port, therefore, if you are using PAT/dynamic NAT to translate the ASA outside interface ip address, it would fail.

3) If you can share the debug for phase 2 from Check Point side, maybe it will show us something.

meet_mkhan Sun, 05/02/2010 - 04:39
User Badges:


    pls check the file attached after removing the line line "access-list 115 extended deny ip any",

   and the sh cryoto isakmp o/p .but when i put debug crypto ipsec i find nothing i,e no debug messeges.

the outside interface of the ASA is private ip address,  therefore, I am  doing Static NAT i,e  1:1 in front of the ASA.  .

Jennifer Halim Sun, 05/02/2010 - 04:48
User Badges:
  • Cisco Employee,

How are you session into the ASA firewall?

If you either telnet or SSH to it, you might want to turn on "logging monitor debugging" and "term mon". If you console to it, then turn on "logging console debugging" to see the output of the debug.


This Discussion