Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn between checkpoint and pix

I need to configure a pix to create a vpn tunnel to a Checkpoint firewall. I have configured pix and when I ping from an inside host on the pix to a host on the dmz of CP FW I get MM_NO_STATE when I issue the cmd sh isakmp sa. PIX appears to initiate the vpn tunnel. Any advise.

4 REPLIES
Anonymous
N/A

Re: vpn between checkpoint and pix

need to turn on debug crytpo ipsec/isakmp/engine.

Also try the PIX tsa at :

http://te.cisco.com/SRVS/CGI-BIN/WEBCGI.EXE?New,KB=PIX,dtree=stepbystep

New Member

Re: vpn between checkpoint and pix

I agree we need these debugs

debug crypto isakmp

debug crypto ipsec

Pay attention with lifetimes (IKE&SA)

Configure the Checkpoint to be in "Main mode" and not in "Agressive mode"

Do not enter on the Cisco side "crypto isakmp keepalive xx"

And pay attention the Checkpoint 'aggregates' hosts with subnets (like 255.255.255.254 to include 2 hosts)

The debug will be your best friend

New Member

Re: vpn between checkpoint and pix

I agree we need these debugs

debug crypto isakmp

debug crypto ipsec

Pay attention with lifetimes (IKE&SA)

Configure the Checkpoint to be in "Main mode" and not in "Agressive mode"

Do not enter on the Cisco side "crypto isakmp keepalive xx"

And pay attention the Checkpoint 'aggregates' hosts with subnets (like 255.255.255.254 to include 2 hosts)

The debug will be your best friend

New Member

Re: vpn between checkpoint and pix

I agree we need these debugs

debug crypto isakmp

debug crypto ipsec

Pay attention with lifetimes (IKE&SA)

Configure the Checkpoint to be in "Main mode" and not in "Agressive mode"

Do not enter on the Cisco side "crypto isakmp keepalive xx"

And pay attention the Checkpoint 'aggregates' hosts with subnets (like 255.255.255.254 to include 2 hosts)

The debug will be your best friend

392
Views
0
Helpful
4
Replies
CreatePlease login to create content