Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco and Checkpoint - no proposal chosen

Hi,

we had a working IPSEC VPN between IOS Router and Checkpoint FW. Now, after adding host entries to the ACL we got "no proposal chosen".

My question:

=> Can we use more than one entry in a ACL attached to crypto map? <=

Like this for example:

access-list 125 permit ip 172.17.17.160 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 4.72.0.0 0.0.255.255

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.14.6.243

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.50.50.4

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

...

Greetings Richi

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Cisco and Checkpoint - no proposal chosen

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

2 REPLIES
New Member

Re: Cisco and Checkpoint - no proposal chosen

Hi Richi,

Yes you can use more than one entry in that ACL, but the ACL should be symmetric on the other side of the VPN.

So for example

access-list 125 permit ip 172.17.18.0 0.0.0.31 host 4.26.13.5

should be on the other side:

access-list 125 permit ip host 4.26.13.5 172.17.18.0 0.0.0.31

Have you checked that you have the symmetric access lists?

Hope it helps,

Paulo

New Member

Re: Cisco and Checkpoint - no proposal chosen

We found a solution / workaround:

The order of the Cisco ACL was clear, but not from Checkpoint side. So we built up the new encryption domains step by step.

=> after every entry (same network / host object, of course symmetric) we checked the IPSec tunnel

Now are all entries done and tunnel is still active.

3365
Views
0
Helpful
2
Replies