I've got the following setup. A couple of remote PIX FWs connected via vpn to a Cisco router sitting behind a Checkpoint FW at the Head Site. The VPN tunnel (ipsec l2l) itself is always up and running, no issues there. The problems appears when we burn the Checkpoint Firewall rulebase, which can take 5-10mins. This somehow, always disconnects the VPN connection. (The only way to bring it back up is to jump to the remote PIX to initate interesting traffic) Now this only happens on PIX 7.x FWs. Remote FWs running 6.3(x) doesn't have this issues. I've checked all ike/ipsec sa timeouts etc. and everything is exactly the same on the PIX and Cisco Router. I've play around with the isakmp keepalive threshold timeouts etc. event disabled it. But Still having the same problem. Anyone come across this before? or know a workaround/fix?
This document describes how to configure LAN-to-LAN sessions between PIX Security Appliances, and also allows for a VPN Client to access the spoke network (PIX3) through the hub (PIX1). In addition, this document demonstrates the configuration for a static LAN-to-LAN tunnel with VPN Client to spoke connectivity through the hub PIX Security Appliance. PIX version 7.0 improves support for spoke-to-spoke VPN communications. PIX 7.0 provides the ability for encrypted traffic to enter and leave the same interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...