Cisco Pix to Checkpoint NG vpn

cpalayoor · ‎05-15-2003

I am attempting to build a vpn tunnel between a Pix (6.2) and Checkpoint NG.

At the end of the configuration, I find that I am able to ping the internal network of the Checkpoint from the Pix inside but cannot ping the Pix inside from the Checkpoint inside.

I have been over my configuration many times and everything seems in order.

Any ideas..????

gfullage · ‎05-15-2003

You won't be able to do this in 6.2 code or earlier, this is working as expected. You can't ping a PIX interface address from another interface, that includes pinging the inside interface when you come in on a VPN from the outside interface.

They changed this in 6.3 so you could ping it, but you have to add the:

> management-access inside

command into your PIX. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1137951 for details.

cpalayoor · ‎05-16-2003

Hi....I guess my problem was misuderstood here. I will rephrase. I am attempting to ping the lan behind the Pix from the lan behind a Checkpoint NG firewall after configuring a vpn tunnel between the 2. At the end of the configuration I find that I can ping the lan behind the Checkpoint from the lan behind the Pix, but not vice versa. The traffic from the Checkpoint lan to the Pix lan is not being encrypted although the replies to the traffic orginating from the Pix lan are being encrypted. This is obviously some configuration issue on the Checkpoint end. I have created the network objects for the Pix and NG on the Checkpoint and have configured IKE properties to match the crypto and isakmp statements on the Pix, as well as put in rules to encypt traffic between the 2 lans.

ricey · ‎06-04-2003

Don't kmow if you have fixed this or not but I had exactly the same proble recently. It turned out to be the natting rules on the checkpoint box were not configured correctly. Entered rules to stop natting between effected networks and this fixed the problem. Hope this helps.