I am not real familiar with networking so I may not have the correct terms here. I am trying to set up a vpn between 2 checkpoint routers but cant make it work thru a cisco 2620. Location one has just a checkpoint connected to the internet. Location 2 has a checkpoint behind a cisco 2620 connected to the internet. We opened all ports we thought we needed on the cisco but cant make it work. Something keeps getting blocked and the VPN never connects. Can I make this work with the cisco or am I out of luck?
My understanding your setup is:
If yes, first make sure you have reachability
from FW1 to FW2. If there is one create VPN
site-to-site connection on both Firewalls
and watch SmartView Tracker on why tunnel is
failing to establish.
Close, its like this with only one cisco.
These are checkpoint safe@office appliances so they dont have advanced logging capabilities. The checkpoint behind the cisco can get out to the internet. When trying to establish a vpn from safe@office to safe@office it fails. We took the safe@office thats behind the cisco and hooked it up direct to another internet connection and the vpn works. But when hooked up behind the cisco, it fails.
I have not gotten the config file yet but am told the OS version is 12.2(7b). Is there any limitation on this version for accomplising what I need? The router is a little older.
Ok here it is.
Current configuration : 3213 bytes
! Last configuration change at 14:07:43 edt Fri Apr 6 2007 by NAVY
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
logging buffered 4096 debugging
aaa authentication login default local-case
aaa authentication enable default enable
aaa authentication ppp default local-case
aaa authorization exec default local
aaa authorization network default local
clock timezone est -5
clock summer-time edt recurring
ip name-server 126.96.36.199
ip name-server 188.8.131.52
ip address 172.16.0.1 255.255.0.0
ip nat inside
no cdp enable
description APK T1
ip address 184.108.40.206 255.255.255.252
ip nat outside
no ip mroute-cache
service-module t1 timeslots 1-24
no cdp enable
ip local pool default 172.16.0.240 172.16.0.249
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static 172.16.0.3 220.127.116.11
ip nat inside source static 172.16.0.4 18.104.22.168
ip route 0.0.0.0 0.0.0.0 22.214.171.124
ip route 192.168.1.0 255.255.255.0 172.16.0.3
no ip http server
ip pim bidir-enable
ip access-list extended WAN_IN
permit tcp any host 126.96.36.199 eq telnet
permit tcp any host 188.8.131.52 eq smtp
permit tcp any host 184.108.40.206 eq pop3
permit tcp any host 220.127.116.11 eq ftp
permit tcp any host 18.104.22.168 eq ftp-data
permit tcp any host 22.214.171.124 eq www
permit tcp any host 126.96.36.199 eq 8080
permit esp any host 188.8.131.52
permit udp any host 184.108.40.206 eq 4500
permit udp any host 220.127.116.11 eq isakmp
permit tcp any host 18.104.22.168 eq www
permit tcp any host 22.214.171.124 eq 50
permit tcp any host 126.96.36.199 eq 51
permit gre any host 188.8.131.52
permit udp any host 184.108.40.206 eq 2746
permit tcp any host 220.127.116.11 eq 264
permit udp any host 18.104.22.168 eq 259
permit udp host 22.214.171.124 eq ntp any
permit tcp any host 126.96.36.199 gt 1024
permit udp any host 188.8.131.52 gt 1024
permit tcp any host 184.108.40.206 gt 1024 established
permit udp any host 220.127.116.11 gt 1024
permit tcp any 18.104.22.168 0.0.0.3 eq 1723
permit tcp any 22.214.171.124 0.0.0.7 eq 1701
permit tcp any 126.96.36.199 0.0.0.7 eq 1723
permit tcp any 188.8.131.52 0.0.0.7 eq 5631
permit tcp any 184.108.40.206 0.0.0.7 eq 5632
permit gre any 220.127.116.11 0.0.0.3
permit gre any 18.104.22.168 0.0.0.7
permit icmp any any
access-list 1 deny 172.16.0.4
access-list 1 deny 172.16.0.3
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
snmp-server engineID local xxx
snmp-server community xxx
snmp-server community xxx
dial-peer cor custom
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
ntp clock-period 17180607
ntp server 22.214.171.124
Hi Thanks. The only thing I see in my checkpoint vpn setup about NAT is a checkbox to "Bypass NAT". I have turned that option and off with no success. I was reading about NAT transparency on cisco's site and saw that it said passing IPSEC vpn info isnt supported until version 12.2(13T) and I have 12.2(7B). I have no idea if this is my issue but maybe?
Hi Billfaith, you should make sure that Checkponit VPN is your VPN device, not Cisco. Your cisco 2610 router just a connecting router with NAT before your VPN device. So if your VPN device supports NAT traversal, it can traverse your cisco router(NAT device) and establishs IPSec session successfully. If it can not support that, your network configuration will not work unless there is no any NAT device between two VPN devices.
My checkpoint is my vpn device. I have a safe@office 500 and it says nat traversal is supported and automatically used when needed. We have like 12 ports open on the 2620 but still no luck. I keep coming back to the UDP protocol 50 thats needed and talked about here
but nobody else seems to think that has anything to do with it.
First, enable NAT-T(NAT traversal) on both safe@office devices.
Second, remove all access list and permit any on the cisco router. Make sure you can access internet behind the cisco router.
Third, Connect your vpn session and testing.
If it dosen't OK. I have no idea so far.
Here is the show version output. I believe we had an allow all statement pointing to our checkpoint fw. I will need to check. My helper disconnected the checkpoint and is gone today so I cant try the vpn connection.
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(7b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 05-Mar-02 07:30 by pwade
Image text-base: 0x80008088, data-base: 0x81071B70
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
clc uptime is 3 weeks, 5 days, 16 hours, 47 minutes
System returned to ROM by power-on
System restarted at 16:00:38 est Wed Mar 28 2007
System image file is "flash:c2600-is-mz.122-7b.bin"
cisco 2620 (MPC860) processor (revision 0x102) with 45056K/4096K bytes of memory
Processor board ID JAD042107TW (506410786)
M860 processor: part number 0, mask 49
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Please try to repeat the process by removing the ACL on the router. It should be like the router is used as a device for internet access thats it, no control on it.
With this you can isolate the problem either its from the router or not.
Plz correct me if I mentioned something wrong considering the Checkpoint as VPN end points.
In your router configuartion pasted above, It shows that you only defined the access-list but you are not applying it to any interface.
What I would suggest is to troubleshoot the issue in two stpes:-
1) Confirm your router is performing that NAT:-
a) Remove the access-list
b) Ping the source and destination of the Ipsec peer from the both end, if you are able to ping that means the router performing NAT without any problem.
c)If you are not able to ping source and destination of IPSEC peer Then we need to check what exactly the router is doing when he gets the packet
# debug ip nat
#perform ping between the end points and Paste the output to so that everyone can have a look on that and Suggest what would be the next step
2) Assuming the Router performs NAT, then you should concentarte on your Firewall
I am not familiar with checkpoint but the IPSEC terminology will be the same for all the vendors
a) first make sure you have the same ISAKMP Policy for phase-I negotiation on both the end
b) make sure you have same transform-set on both the end
c) Most Important:- check crypto-protected address spaces between both the end point are same,
The protected address sapce must match on both the VPN endpointsto established the ipsec SA.