Hey folks, I've got a new Cisco 3000 series VPN concentrator installed in one of my DMZ's. The Private interface is in one of my DMZ's. The Public interface is outside my firewall and directly connected to my ISP. I can ping this concentrator's Private interface from anywhere in the DMZ. I can also web to it just fine from anywhere on the DMZ network.
When I have a client outside my network connect via the VPN client I can ping all the way to the DMZ's gateway.
I cannot however pass the DMZ's gateway which is an interface on a Checkpoint firewall.
I have a test rule in the Checkpoint that will let any and all traffic through from the IP Pool that the concentrator is doling out. The firewall itself can ping the VPN client's doled out address just fine.
My internal private network is sending the traffic to the DMZ network back and forth just fine. This is was an existing network and there are devices working just fine it it.
Surely, I am missing something simple. Has anyone else connected a 3000 series concentrator to a Checkpoint FW and gotten traffic to flow through it? My test rule allows any and all traffic.
Re: Question about a new VPN concentrator install.
Hi .. my only guess is NAT on the checkpoint .. make sure traffic from/to the IP VPN pool is allowed and NOT nated on the checkpoint firewall and of course make sure the checkpoint and whatever is branched out of its interfaces know the way back to the IP pool.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...