How do I configure a Checkpoint to Cisco ASA VPN Tunnel?

Posted on 2008-06-10
Last Modified: 2013-11-16
I am trying to create a tunnel between our company Checkpoint Firewall and a clients Cisco ASA 5510.

Current Situation:

Phase 1 settings are fine on both sides,matching.

Phase 2:
 Remote peer : XX.XX.82.73
 Local public ip (outside): XX.XX.32.4

Interesting traffic (proxy):
 Source: XX.XX.32.27
 Destination : XX.XX.82.75

According to our debug information we are receiving from remote site:
Interesting traffic (proxy):
 Source: XX.XX.82.73
 Destination: XX.XX.32.4
ASA is dropping it since it's not matching the traffic.

The private ip of internal server on Checkpoint side is: and it should be nated to XX.XX.82.75.. If this is correct, then XX.XX.82.75 should travel through the tunnel searching for XX.XX.32.27. With a peer XX.XX.32.4 (where the tunnel will end).

My question is how do i configure the tunnel on checkpoint side to match the ASA configuration so they can talk to each other? I am using a Nokia IP130 with the SmartDashboard R55 to configure the Checkpoint firewall.
Question by:ouelletteg47
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

by:Jeff Perry
ID: 21752100
I am not familiar with checkpoint so I cant say on how to configure it.

What is jumping out at me is that the ASA is dropping the traffic from .73 and you are wanting the interesting traffic to come from .75

Without being able to tell you how to configure it I would look at the checkpoint conf section that deals with natting the outbound traffic to the .32.XX network to make sure that it gets natted to .75

Author Comment

ID: 21753012
Thanks for the comment, I am not entirely sure how to configure the address translation for the scenario I've outlined. I'll wait until I hear from someone experienced in Checkpoint.

Expert Comment

ID: 21760437
Is your question about address translation, or bringing up the VPN?  

In Checkpoint, check your VPN community settings to make sure that "disable NAT inside the VPN" is NOT checked, as that will override any translation rules you write.  Then, it's as simple as setting up a rule in the address translation page.  You'll need to create multiple objects (server-inside, and server-outside), I assume this is a one-to-one-NAT.  source = server inside, destination = vpn peer (as the checkpoint sees it, which could be public, or private, depending on if the asa is translating it).  service = any.  xlated source = server outside, destination = original, service = original.

The most common problem I find with interoperable VPNs and Checkpoint is that the VPN domain doesn't match.  You need to setup the VPN domain (in the properties of the firewall enforcement point, and interopable device) EXACTLY as it's setup in the Cisco ASA.  This is what the Checkpoint uses to negotiate the tunnel, NOT the address in the source/destination of the VPN rule.
Let me know if you need more information, or a more specific answer.
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.


Author Comment

ID: 21760664
That makes sense. Would i create their peer as a network? or, as a node? For my translations:

Original Packet                                                        Translated
Source        Destination             Service                 Source            Destination            Service
My inside     Their Peer?             Any                      My Outside      Their inside?         Any

and reverse for traffic coming back?  

Author Comment

ID: 21760977
I think i messed that up..
My Inside -> Their Peer, any service   xlated to ->  My outside -> their peer, any service

so would the rule for incoming be:

their peer -> my outside, any service  xlated to  their peer -> myinside, any service  ?

Accepted Solution

mabutterfield earned 500 total points
ID: 21769717
Your outbound rule should be

your inside src -> VPN Peer (dest IP may NOT be same as VPN Peer), any service xlated to:
your outside src -> original dest, original dest

your inbound rule would be

their VPN Peer -> your outside dst, any service xlated to:
original -> your inside dst, original service


Author Closing Comment

ID: 31465754
Thank you very much for your assistance. The two sources are now "shaking hands" through the tunnel.

Expert Comment

ID: 24719649
Hi there,

I have setup a working vpn betweeen a checkpoint fw and a cisco asa

here what i did but you need to change the ip address and encryption settings etc!

Cisco ASA
external interface (outside):
internal interface (inside):
Check Point NGX
external interface (eth0):
internal interface (eth1):

on the checkpoint side.
Check Point NGX setup

In Check Point, first you need to define a new Interoperable Device which we'll call Cisco-ASA and in the IP address field, you'll enter the IP address of the external interface of Cisco ASA, in this case being

Next, you edit the toplogy of the device and enter:

eth0:, netmask; topology: Leads to internet
eth1:, netmask; topology: Internal, Network defined by IP address and netmask
Next, you need to create a new VPN community, type Star, with the following settings:

Center gateways: the object representing the Check Point enforcement point
Satellite gateways: the object representing the Cisco ASA device
VPN Properties:
IKE (Phase 1) Properties
Perform key exchange encryption with: AES-256
Perform data integrity with: SHA-1
IPSec (Phase 2) Properties
Perform IPSec data encryption with: AES-128
Perform data integrity with: SHA-1
Tunnel properties:
VPN Tunnel sharing: One VPN tunnel per subnet pair
Advanced settings
Use only SharedSecret for all external members
Advanced VPN Properties:
IKE (Phase 1):
Use Diffie-Helman Group: Group 2
NAT: Disable NAT inside VPN community

you need to create rule in the checkpoint fw two,

mine were
Source                          DEST                             VPN               Net-Checkpoint            select vpn you just configure above.
2.Net-Checkpoint             net-cisco-asa              select vpn you just configure above.

verify and install policy, then try to connect from the checkpoint side, then the cisco side.



Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question