Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn client through a checkpoint firewall.

I have a client residing behind a checkpoint NG firewall that is experiencing issues. I am connecting to a 3000 concentrator and getting an assigned ip address just fine. Unfortunatly any attempts to connect to devices through the tunnel don't work after I have been connected.

The firewall is allowing:



udp IKE



udp port 10000

udp port 4500

The client is on a private address and being hide nat'd by the checkpoint firewall.

I can't even ping the internal interface of the concentrator.

Does anybody have any ideas?


Re: vpn client through a checkpoint firewall.

Verify that the PIX has a route to the internal networks trying to be accessed.

Verify that the pool of VPN addresses does not overlap with any other internal network, including that of the PIX itself.

Verify that there is a nat 0 access list on the PIX which includes the internal network trying to be reached and the VPN address pool network.

The nat [if_name] 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.

Verify that the default gateway of the inside hosts is pointing to the inside interface of the firewall if they are a part of directly connected networks of the firewalls.

Note: The first two points are also applicable to Cisco routers and VPN 3000 Concentrators with VPN tunnels

New Member

Re: vpn client through a checkpoint firewall.

Do you have IPSec through NAT selected on the concentrator (NAT Transparent).

Assuming ICMP is opened on CP?

New Member

Re: vpn client through a checkpoint firewall.

scratch last comment, this was an issue with Cisco IPsec on router only. Not sure impact on CP.

Re-iteration of post prior to mine....check routes.


New Member

Re: vpn client through a checkpoint firewall.

I have ipsec over UDP port enabled, Interesting that the article points to Configuration > User Management > Groups.| Ipsec Tab I find in actually it under the client config tab. I tried the Global Nat-t over tcp but I can't seem to get connected using that. I'll have to play with it a bit more to see if I can get it to work.

The routes on the concentrator seem to be fine as if I connect without passing through the checkpoint firewall (ie behind a linksys nat device or directly connected) I can hit the the networks just fine. The ip scheme may be an issue but I have tried a few variations to try and eliminate that as an issue. Currently it is setup as follows

Client computer

Private interface of vpn concentrator

static ip address assigned to client by concentrator

The static ip is in the same subnet as the vpn device but I haven't had a problem with it before.

What kind of icmp traffic would I need to allow on the firewall? I do see some drops in the logs particularly a icmp TTL count exceeded/address spoofing message. I turned off spoofing protection to test if the checkpoint firewall was mucking it up but no change.

CreatePlease to create content