Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Site-to-Site between Cisco PIX 501 and CheckPoint NG


I followed the instructions from a Cisco guide to connect a PIX 501 and a Checkpoint NG firewall. But I've got a problem :

The Checkpoint firewall manages 3 networks :

- x.x.x.x (Internal)

- y.y.y.y (Public but Firewalled)

- z.z.z.z (Public un-Firewalled)

When the tunnel is set, my remote site cas access the x.x.x.x network, but he also looses the y.y.y.y network, where my public mail server is.

My question is :

As I have the 6.3 OS on the PIX box, do I have to force my remote site to use a specific route to access y.y.y.y network ? Or is there some specific setting that can allow me to redirect Internet traffic through dedicated router ?

(Sorry for my English speaking, I'm french)

Thank you for your help


Re: VPN Site-to-Site between Cisco PIX 501 and CheckPoint NG

I work with both Cisco and Checkpoint but I am

afraid I am not following what you're asking

here. Please elaborate or post a diagram of

what you're trying to achieve.

CCIE Security

New Member

Re: VPN Site-to-Site between Cisco PIX 501 and CheckPoint NG

Thank you for your answer first ;-)

So to resume, the objective is to create a VPN tunnel between remote internal network ( to my internal network (

My problem is : When I set the VPN tunnel between theses two networks, my remote site cannot connect to the "Network 193 DMZ" and "Network 193 IN" anymore. Theses 2 networks contains several critical servers, like webmail or FTP. So it cannot be unavailable for the remote site.

As soon as I disable the VPN tunnel, the remote site is able to access again the two networks by Internet, as it used to be.

I suspect that either the Cisco PIX or Checkpoint NG sets that 193 IN and 193 DMZ networks should be accessed by using the VPN tunnel instead of a classical Internet access. Unfortunately, I tried to extend my Checkpoint Firewall rules to include access for remote internal network to the 193 DMZ and 193 IN, without success.

Is there a way to force access to theses two networks outside of the VPN tunnel ?

Thank you for your answer


Re: VPN Site-to-Site between Cisco PIX 501 and CheckPoint NG

Let me ask you a couple of questions here:

1- What IPSO version is running on the Nokia IP265? show me "uname -a" output

2- What is the checkpoint version running on the

Nokia IP265? show me "fw ver" output,

3- are you setting up VPN on the Nokia IP265

using "simplified" or "traditional" method?

In other words, are you using VPN community?

If the answer to item #3 is "yes", then

what you're experiencing is "normal" behavior.

In Checkpoint Simplified mode, the firewall's

External interface itself is also part of


SIMPLIFIED MODE. You must have PAT all of the when accessing servers 193.75.x.131-191 when from the Pix501 right?

Look in the SmartView Tracker and you will see

the message. Better yet, run tcpdump on the

Nokia and you will see the error immediately.

The workaround solution is to use traditional

mode. In traditional mode, the firewall

external ip address is NOT part of the VPN

and everything will work In other words,

setup the VPN the old way as checkpoint 4.1

and everything will work for you.

Let me know if you need additional help.

CCIE Security