Checkpoint VPN client from behind a PIX

lpizzinato · ‎02-11-2006

Hi All.

We have a PIX natting our LAN to the Internet (1 public IP address only).

There's also a VPN lan-to-lan to a second site, and from our LAN we can use the Cisco VPN client to connect to several other remote sites.

The problem arises using the Checkpoint VPN client ("visitor" mode) to connecto to a remote site protected by a Checkpoint fw. I installed it on a laptop, and if I dial-in onto the Internet I do connect to that remote site without problems, but if I'm inside our LAN traffic gets stopped somewhere.

I suspect that the ISAKMP traffic gets "captured" by the lan-to-lan tunnel. Could it be the case?

Any hints?

Regs

vkapoor5 · ‎02-16-2006

Its not quite clear to me on what you meant by "ISAKMP traffic gets "captured" by the lan-to-lan tunnel". Does this traffic travese through PIX? If yes, check the PIX to see if your NAT commands allow this traffic to go from inside to outside.

chandruu · ‎02-17-2006

As per the security standrad for remote client ,Split tunnel is diabled on the Checkpoint VPN gateway or VPN Client. This might Block your LAN traffic. Enable Split tunnel will help you to solve the problem

mbiswas · ‎02-19-2006

My understanding is CheckPoint visitor mode use tcp 443. Check if tcp 443 is allowed through your PIX. If you use a proxy server set proxy setting in Visitor mode.

CheckPoint VPN client has a good tool "srfwmon.exe". Try srfwmon to monitor traffic in and out of the client PC.