Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to Checkpoint

Hi there, we have an ASA 5510 and have a VPN to a 3rd party who use a Checkpoint R62 Secure Platform with 4.1 Nokia IPSO and there are a few problems with the VPN establishment.

We know there are lifetime differences and have set according the 3rd parties specifications, we have had issues in the past with Checkpoint devices but with this one we quite often see the tunnel come up, traffic passes from our network to their with response back but they cannot access our network.

Are there any Cisco documents about compatability issues or similar? In terms of config changes we are pretty certain ours is fine as the VPN eventually stabilises and they can send traffic too so the lifetimes and all other authentication and encryption should be ok.

TIA!

4 REPLIES

Re: ASA to Checkpoint

Hi,

Have you checked this http://www.cisco.com/warp/public/707/pix-checkpt.html

CheckPoint has the best logging of all the firewall in the world. Have you ask the CheckPoint firewall admin to check their logs?

Regards,

Dandy

New Member

Re: ASA to Checkpoint

Thanks for the link Dandy, our side of the config is basically the same with obvious changes for being ASA, as far as their side they are a financial house and are unwilling to offer any information to us. I will re-query them but if anyone else has any useful information that would be cool.

New Member

Re: ASA to Checkpoint

Make sure the network definitions (ie subnet masks) for your encryption domain and that of the Check Point gateway match exactly. If they are not defined the same, Check Point will often fail phase 2 for outbound traffic, while inbound traffic at the CP gateway will work fine.

Cheers!

Ron

Bronze

Re: ASA to Checkpoint

Just wanted to reiterate this...key word here is *exactly*. We tried this last week and found out that if the Checkpoint is set to summarize some subets (for example 192.168.0.0/23) and the ASA is set for 192.168.0.0/24 and 192.168.1.0/24, the tunnel will come up and work for a couple hours before dropping and not coming back. Having them exactly the same on both ends fixed everything.

381
Views
0
Helpful
4
Replies