Question

How do I configure a Checkpoint to Cisco ASA VPN Tunnel?

Asked by: ouelletteg47

I am trying to create a tunnel between our company Checkpoint Firewall and a clients Cisco ASA 5510.

Current Situation:

Phase 1 settings are fine on both sides,matching.

Phase 2:
       
ASA:
 Remote peer : XX.XX.82.73
 Local public ip (outside): XX.XX.32.4

Interesting traffic (proxy):
 Source: XX.XX.32.27
 Destination : XX.XX.82.75

Checkpoint
According to our debug information we are receiving from remote site:
Interesting traffic (proxy):
 Source: XX.XX.82.73
 Destination: XX.XX.32.4
ASA is dropping it since it's not matching the traffic.

The private ip of internal server on Checkpoint side is: 172.23.45.14 and it should be nated to XX.XX.82.75.. If this is correct, then XX.XX.82.75 should travel through the tunnel searching for XX.XX.32.27. With a peer XX.XX.32.4 (where the tunnel will end).

My question is how do i configure the tunnel on checkpoint side to match the ASA configuration so they can talk to each other? I am using a Nokia IP130 with the SmartDashboard R55 to configure the Checkpoint firewall.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-06-10 at 07:38:43ID23472486
Topics

Checkpoint Firewall

,

Virtual Private Networking (VPN)

Participating Experts
3
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Checkpoint firewall vpn with microsoft
    I have a few people that want to have set up an internal vpn and want outside access through a checkpoint firewall they are just using the microsoft default vpn connection through connection wizard and can connect internally no problem. However I've read that checkpoint is no...
  2. Problem with Checkpoint VPN
    My home computer is a Dell Optiplex running W2K Pro. My Internet is Speakeasy DSL, static IP. The Dell is part of a two-computer peer-to-peer, connected to a Netgear switch and a DSL modem with CAT 5. Recently I installed a VPN client - Checkpoint NG 3 (Build 53328) on my ...
  3. VPN issues between checkpoint NGX and Draytel Vigor 2…
    I have a draytel vigor vpn router and checkpoint NGX Firewall. Trying to set up a vpn tunnel between them. I can bring up a tunnel from the draytek (remote site) to the checkpoint and connect from the remote side to te main site. But, I can't connect from the checkpoint si...
  4. ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 …
    Hello - I have a Cisco ASA 5520 and I am setting up an L2L tunnel with an outside party using a Checkpoint firewall. I have 5 existing tunnels on this 5520, and also created a previous tunnel to this same outside party but on a different endpoint. Right now it gets part way...
  5. checkpoint
    Hi, im following my labs in my R65 Checkpoint books, but in order to simulate I need 2 lots of domains so that I can carryout routing simulations via the labs. so far I have 2 VMs & creating the 3rd & 4th as below: THIS is one domain - VM1 WIN 2003 - SPLAT SMARTCEN...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: trhadminPosted on 2008-06-10 at 08:20:44ID: 21752100

I am not familiar with checkpoint so I cant say on how to configure it.

What is jumping out at me is that the ASA is dropping the traffic from .73 and you are wanting the interesting traffic to come from .75

Without being able to tell you how to configure it I would look at the checkpoint conf section that deals with natting the outbound traffic to the .32.XX network to make sure that it gets natted to .75

 

by: ouelletteg47Posted on 2008-06-10 at 10:09:17ID: 21753012

Thanks for the comment, I am not entirely sure how to configure the address translation for the scenario I've outlined. I'll wait until I hear from someone experienced in Checkpoint.

 

by: mabutterfieldPosted on 2008-06-11 at 07:33:44ID: 21760437

Is your question about address translation, or bringing up the VPN?  

In Checkpoint, check your VPN community settings to make sure that "disable NAT inside the VPN" is NOT checked, as that will override any translation rules you write.  Then, it's as simple as setting up a rule in the address translation page.  You'll need to create multiple objects (server-inside, and server-outside), I assume this is a one-to-one-NAT.  source = server inside, destination = vpn peer (as the checkpoint sees it, which could be public, or private, depending on if the asa is translating it).  service = any.  xlated source = server outside, destination = original, service = original.

The most common problem I find with interoperable VPNs and Checkpoint is that the VPN domain doesn't match.  You need to setup the VPN domain (in the properties of the firewall enforcement point, and interopable device) EXACTLY as it's setup in the Cisco ASA.  This is what the Checkpoint uses to negotiate the tunnel, NOT the address in the source/destination of the VPN rule.
 
Let me know if you need more information, or a more specific answer.

 

by: ouelletteg47Posted on 2008-06-11 at 07:54:36ID: 21760664

That makes sense. Would i create their peer as a network? or, as a node? For my translations:

Original Packet                                                        Translated
Source        Destination             Service                 Source            Destination            Service
My inside     Their Peer?             Any                      My Outside      Their inside?         Any

and reverse for traffic coming back?  

 

by: ouelletteg47Posted on 2008-06-11 at 08:20:39ID: 21760977

I think i messed that up..
My Inside -> Their Peer, any service   xlated to ->  My outside -> their peer, any service

so would the rule for incoming be:

their peer -> my outside, any service  xlated to  their peer -> myinside, any service  ?
 

 

by: mabutterfieldPosted on 2008-06-12 at 07:19:05ID: 21769717

Your outbound rule should be

your inside src -> VPN Peer (dest IP may NOT be same as VPN Peer), any service xlated to:
your outside src -> original dest, original dest

your inbound rule would be

their VPN Peer -> your outside dst, any service xlated to:
original -> your inside dst, original service

 

by: ouelletteg47Posted on 2008-06-12 at 07:26:20ID: 31465754

Thank you very much for your assistance. The two sources are now "shaking hands" through the tunnel.

 

by: fcar807Posted on 2009-06-26 at 03:29:41ID: 24719649

Hi there,

I have setup a working vpn betweeen a checkpoint fw and a cisco asa

here what i did but you need to change the ip address and encryption settings etc!

Cisco ASA
external interface (outside): 1.2.3.4/255.255.255.252
internal interface (inside): 10.20.40.1/255.255.255.0
Check Point NGX
external interface (eth0): 5.6.7.8/255.255.255.252
internal interface (eth1): 10.40.20.1/255.255.255.0

on the checkpoint side.
Check Point NGX setup

In Check Point, first you need to define a new Interoperable Device which we'll call Cisco-ASA and in the IP address field, you'll enter the IP address of the external interface of Cisco ASA, in this case being 1.2.3.4

Next, you edit the toplogy of the device and enter:

eth0: 1.2.3.4, netmask 255.255.255.255; topology: Leads to internet
eth1: 10.20.40.1, netmask 255.255.255.0; topology: Internal, Network defined by IP address and netmask
Next, you need to create a new VPN community, type Star, with the following settings:

Center gateways: the object representing the Check Point enforcement point
Satellite gateways: the object representing the Cisco ASA device
VPN Properties:
IKE (Phase 1) Properties
Perform key exchange encryption with: AES-256
Perform data integrity with: SHA-1
IPSec (Phase 2) Properties
Perform IPSec data encryption with: AES-128
Perform data integrity with: SHA-1
Tunnel properties:
VPN Tunnel sharing: One VPN tunnel per subnet pair
Advanced settings
SharedSecret
Use only SharedSecret for all external members
Advanced VPN Properties:
IKE (Phase 1):
Use Diffie-Helman Group: Group 2
NAT: Disable NAT inside VPN community

you need to create rule in the checkpoint fw two,

mine were
Source                          DEST                             VPN
1.net-cisco-asa               Net-Checkpoint            select vpn you just configure above.
2.Net-Checkpoint             net-cisco-asa              select vpn you just configure above.

verify and install policy, then try to connect from the checkpoint side, then the cisco side.

Thanks
Frank

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...