Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Course Of The Month
6 days, 8 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
PIX Checkpoint VPN Problem
Posted on 2006-11-23
hi all,
i am having a strange problem and i have tried doing googling but still not getting any strong answer to overcome the issue.
we have one partner in another country and we are trying to setup VPN Tunnel between us and this partner using PIX 515E and Checkpoint FW NXG on the other side.
configured the Crypto Map and ISAKMP and also with help from lrmoore did the natting and acl. the thing is like this.
Site 1.
crypto ipsec transform-set Partnet2 esp-3des esp-md5-hmac
crypto map transam 20 ipsec-isakmp
crypto map transam 20 match address Partnet2
crypto map transam 20 set peer 192.162.10.92
crypto map transam 20 set transform-set NI
crypto map transam 20 set security-association lifetime seconds 3600 kilobytes 4
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 192.168.10.92 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 30
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
access-list Partner2 permit ip host 100.90.72.20 host 172.22.13.25
access-list Partner2 permit ip host 100.90.72.10 host 192.168.7.5
access-list Partner2 permit ip host 192.168.7.5 host 100.90.72.10
access-list Partner2 permit ip host 100.90.72.10 host 172.17.53.5
access-list Partner2_NAT permit ip host 172.20.4.205 host 172.16.7.5
access-list Partner2_NAT permit ip host 172.20.4.205 host 172.17.53.5
access-list Partner2_NAT1 permit ip host 172.20.4.205 host 172.22.13.25
global (outside) 20 100.90.72.10
global (outside) 30 100.90.72.20
nat (inside) 20 access-list NI_NAT 0 0
nat (inside) 30 access-list NI_NAT1 0 0
Site 2. Checkpoint FW NGX
Problem: when we initiate the connection the VPN Tunnel comes up and we can access there servers. but when they try to initiate the connection; i see on pix that it stops at phase 2 of IPsec.
Question:
for inbound do we need something extra in ACL or simple VPN access-list works for both inbound and outbound. any help would be great, i really need it up
i am having a strange problem and i have tried doing googling but still not getting any strong answer to overcome the issue.
we have one partner in another country and we are trying to setup VPN Tunnel between us and this partner using PIX 515E and Checkpoint FW NXG on the other side.
configured the Crypto Map and ISAKMP and also with help from lrmoore did the natting and acl. the thing is like this.
Site 1.
crypto ipsec transform-set Partnet2 esp-3des esp-md5-hmac
crypto map transam 20 ipsec-isakmp
crypto map transam 20 match address Partnet2
crypto map transam 20 set peer 192.162.10.92
crypto map transam 20 set transform-set NI
crypto map transam 20 set security-association lifetime seconds 3600 kilobytes 4
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 192.168.10.92 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 30
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
access-list Partner2 permit ip host 100.90.72.20 host 172.22.13.25
access-list Partner2 permit ip host 100.90.72.10 host 192.168.7.5
access-list Partner2 permit ip host 192.168.7.5 host 100.90.72.10
access-list Partner2 permit ip host 100.90.72.10 host 172.17.53.5
access-list Partner2_NAT permit ip host 172.20.4.205 host 172.16.7.5
access-list Partner2_NAT permit ip host 172.20.4.205 host 172.17.53.5
access-list Partner2_NAT1 permit ip host 172.20.4.205 host 172.22.13.25
global (outside) 20 100.90.72.10
global (outside) 30 100.90.72.20
nat (inside) 20 access-list NI_NAT 0 0
nat (inside) 30 access-list NI_NAT1 0 0
Site 2. Checkpoint FW NGX
Problem: when we initiate the connection the VPN Tunnel comes up and we can access there servers. but when they try to initiate the connection; i see on pix that it stops at phase 2 of IPsec.
Question:
for inbound do we need something extra in ACL or simple VPN access-list works for both inbound and outbound. any help would be great, i really need it up
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5 Comments
hi all,
please i need help here, below is what i see on my debug
IPSEC(validate_transform_p
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
please i need help here, below is what i see on my debug
IPSEC(validate_transform_p
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
hi there.....
one thing i am sure that this is something to do the the Checkpoint box, cuz we had exactly the same problem. There is one specific option they need to check for that......but i need to get a check on that. In the mean time you can ask them to look out for some trials... dnt do anything on pix...
one thing i am sure that this is something to do the the Checkpoint box, cuz we had exactly the same problem. There is one specific option they need to check for that......but i need to get a check on that. In the mean time you can ask them to look out for some trials... dnt do anything on pix...
This message means the networks defined at both ends don't match. Verify that the network objects that fall under encryption on the CheckPoint box match with whatever access list you've used for encryption on the PIX.
NGX - PIX VPN setup should pretty much follow the basics in this 4.1 - PIX VPN example:
http://www.cisco.com/warp/public/110/cp-p.html
NGX - PIX VPN setup should pretty much follow the basics in this 4.1 - PIX VPN example:
http://www.cisco.com/warp/public/110/cp-p.html
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a
glance.
You may as well want to read official Cisco published AS…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month6 days, 8 hours left to enroll
726 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.