RE: [fw-wiz] Checkpoint to Cisco - Hardware VPN works, software d oesn't

From: Dean Davis (Dean.Davis_at_mbg-inc.com)
Date: 12/19/03

  • Next message: edp: "R: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall" 
    To: "'Northrup, Tyler'" <tnorthru@usd.edu>, firewall-wizards@honor.icsalabs.com
Date: Fri, 19 Dec 2003 11:44:57 -0500

    Hi Tyler:

    Is the Checkpoint performing NAT on the software VPN's internal IP address?
    If so, does that translation equate to the IP address that your Concentrator
    has configured as a VPN Peer? Even though the servers and the software VPN
    client are on disparate subnets, they could all ultimately get translated by
    NAT as a common IP address.

    Perhaps NAT is the problem. If so, you'll need to publish the software VPN
    client as a different routable IP address to avoid the confusion. I had a
    similar situation.

    Thanks,
    Dean Davis, MCSE,MCDBA,CCNA,CNA,N+,Linux+
    Chief Instructor
    LinuxGenius, LLC.
    www.linuxcbt.net

    -----Original Message-----
    From: Northrup, Tyler [mailto:tnorthru@usd.edu]
    Sent: Friday, December 12, 2003 9:13 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Checkpoint to Cisco - Hardware VPN works, software doesn't

    I have a Checkpoint NG FP3 at one site and a Cisco 3030 concentrator at the
    other. There is a hardware-based ipsec tunnel between the checkpoint and
    concentrator with network lists allowing 5 systems to communicate between
    the networks (see below). This tunnel works fine.

    Server1 - |
    Server2 - - - CHECKPOINT <> CONCENTRATOR - - - Server1
    Server3 - | | | - Server2
                            |
                            |
                            |
                    software vpn

    However, since configuring this tunnel, I have not been able to initiate
    software vpn connections from behind the checkpoint to the concentrator
    (worked previously). These connections originate on separate network off
    the checkpoint to the cisco concentrator. It worked fine prior to
    implementation of the IPSEC tunnel. I know the traffic gets to the
    checkpoint, but it either does not leave, or it leaves via the tunnel (which
    it should not as these systems are not part of the network lists / rules)
    and gets dropped.

    I adminster the concentrator, but do not directly support the Checkpoint.
    Any direction would be appreciated as I am working with the other
    administrator to solve the issue.

    Thanks,

    Tyler Northrup
    IT Security Officer
    The University of South Dakota
    605-677-5019
    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: edp: "R: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall"

    Relevant Pages

    • [fw-wiz] Checkpoint to Cisco - Hardware VPN works, software doesnt
      ... I have a Checkpoint NG FP3 at one site and a Cisco 3030 concentrator at the ... concentrator with network lists allowing 5 systems to communicate between ... This tunnel works fine. ...
      (Firewall-Wizards)
    • RE: interoperability of VPN checkpoint FW1 to ISA
      ... Aggressive mode is listed as a SHOULD ... implement, but most vendors seem to support it, not just Checkpoint ... > We saw something similar where a tunnel was made from a Cisco ...
      (Focus-Microsoft)
    • Re: VPN-1 Secureremote pass-through on a PIX 506
      ... I've seen this happen when the client site (behind a NAT router) is ... I've known this to be solved by setting up the Checkpoint ... This might not be the issue, since it works with the PIX. ... DSL router, fits with the symptoms I've seen. ...
      (comp.dcom.sys.cisco)
    • IPSEC / VPN question
      ... The VPN is set between an OpenBSD 4.0 GENERIC and a Checkpoint NG FP3. ... When I etablish the tunnel all is okay for a while. ... The problem appear to come from the OpenBSD side and that for 3.9 and 4.0. ... The Checkpoint side has 3DES/SHA/GRP2 with PRE-SHARED Secret for Phase 1 and 3DES/SHA for Phase2 enabled. ...
      (comp.unix.bsd.openbsd.misc)
    • Black - the last level
      ... I was stuck just before the first checkpoint for ages. ... Then moved back into the tunnel, and took out a few more who chased me into it. ... And then the screen goes fucking black with the words "There is a problem with the disc you are using, it may be dirty or damaged". ...
      (uk.games.video.xbox)