Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Site to Site vpn configuring on ASA5510 and CHECK POINT.

Hi,Experts              

  I am trying to establish a site to site vpn tunnel between cisco asa5510 and check point.

               when i  configured all configuration of checkpoint and asa5510 the tunnel is not  established.   

                and at as5510 it shows some error message pls check the attached file for configuration and sh commands.    

                        kindly help me in solving this issues.

                          Thankx a lot in advance.

3 REPLIES
Cisco Employee

Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.

From the "show crypto isa sa" output, the status is MM_Active, which means phase 1 is UP.

Debug output doesn't really provide much information for phase 2. You might want to try to collect "debug crypto ipsec" output, and make sure that you can see the full debug output, and also grab the "show crypto ipsec sa" output.

From configuration, I notice a few things:

1) ACL 115, you do not need the second line "access-list 115 extended deny ip 192.168.11.0 255.255.255.0 any", please remove it.

2) The outside interface of the ASA is private ip address, therefore, I assume that you are doing NATing in front of the ASA. Can you please confirm whether it is static 1:1 NAT. Phase 2 normally uses ESP (protocol), and it is not a TCP or UDP port, therefore, if you are using PAT/dynamic NAT to translate the ASA outside interface ip address, it would fail.

3) If you can share the debug for phase 2 from Check Point side, maybe it will show us something.

New Member

Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.

Hi,

    pls check the file attached after removing the line line "access-list 115 extended deny ip 192.168.11.0 255.255.255.0 any",

   and the sh cryoto isakmp o/p .but when i put debug crypto ipsec i find nothing i,e no debug messeges.

the outside interface of the ASA is private ip address,  therefore, I am  doing Static NAT i,e  1:1 in front of the ASA.  .

Cisco Employee

Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.

How are you session into the ASA firewall?

If you either telnet or SSH to it, you might want to turn on "logging monitor debugging" and "term mon". If you console to it, then turn on "logging console debugging" to see the output of the debug.

2864
Views
0
Helpful
3
Replies
CreatePlease to create content