Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Partner Moving offices - PIX VPN Tunnel to both offices w/problems

I work with another company with whom we've established a site-to-site vpn. They are moving to a new office. They've acquired new equipment so that we now have tunnels connecting to both locations from my site. At the new site, some of the addresses on my side are unaccessible to them. Connectivity in every other way is just fine. I use the same network object-group for my addresses for both tunnels. No ip addresses overlap.

I'm running PIX 6.3(5). Their old office uses a PIX (version unknown) and their new office uses a brand new Checkpoint NGX R65 module. Has anyone run into this before?

2 REPLIES
Silver

Re: VPN Partner Moving offices - PIX VPN Tunnel to both offices

"Has anyone run into this before?"

Yes, many times in my career. I am very

suprised to find that how little about

Checkpoint Firewall/VPN product that Cisco

folks in this forum know.

What you experience is very common for VPN

between Cisco and Checkpoint. Checkpoint is

famous for suppernetting network behind the

checkpoint firewalls. There are several

workarounds:

1- make the network on the Pix matches with

the network on the checkpoint side. For

example, if checkpoint has two /24 nets,

combine it into a /23 and do the same thing

on the Pix side,

2- modify the $FWDIR/lib/user.def file, in

addition to the IKE_largest_possible_subnet

modification from "true" to "false"

3- change the vpn community from per subnet,

which is the default, to "per host",

Since this is NGx R65, method #3 is the

easiest workaround,

Good luck to you!!!

New Member

Re: VPN Partner Moving offices - PIX VPN Tunnel to both offices

Thanks for the quick reply. I spoke with the folks on the other side and sent them a little "ping" script to help document what was actually working. In both locations there are hosts that don't respond to them however, at the new location the ratio of response/no response is about 50%. Perhaps in the few hosts that don't respond to both locations it is a local host configuration issue.

106
Views
0
Helpful
2
Replies
CreatePlease to create content