Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

How do I configure a Checkpoint to Cisco ASA VPN Tunnel?

Posted on 2008-06-10
Last Modified: 2013-11-16
I am trying to create a tunnel between our company Checkpoint Firewall and a clients Cisco ASA 5510.

Current Situation:

Phase 1 settings are fine on both sides,matching.

Phase 2:
 Remote peer : XX.XX.82.73
 Local public ip (outside): XX.XX.32.4

Interesting traffic (proxy):
 Source: XX.XX.32.27
 Destination : XX.XX.82.75

According to our debug information we are receiving from remote site:
Interesting traffic (proxy):
 Source: XX.XX.82.73
 Destination: XX.XX.32.4
ASA is dropping it since it's not matching the traffic.

The private ip of internal server on Checkpoint side is: and it should be nated to XX.XX.82.75.. If this is correct, then XX.XX.82.75 should travel through the tunnel searching for XX.XX.32.27. With a peer XX.XX.32.4 (where the tunnel will end).

My question is how do i configure the tunnel on checkpoint side to match the ASA configuration so they can talk to each other? I am using a Nokia IP130 with the SmartDashboard R55 to configure the Checkpoint firewall.
Question by:ouelletteg47

Expert Comment

by:Jeff Perry
ID: 21752100
I am not familiar with checkpoint so I cant say on how to configure it.

What is jumping out at me is that the ASA is dropping the traffic from .73 and you are wanting the interesting traffic to come from .75

Without being able to tell you how to configure it I would look at the checkpoint conf section that deals with natting the outbound traffic to the .32.XX network to make sure that it gets natted to .75

Author Comment

ID: 21753012
Thanks for the comment, I am not entirely sure how to configure the address translation for the scenario I've outlined. I'll wait until I hear from someone experienced in Checkpoint.

Expert Comment

ID: 21760437
Is your question about address translation, or bringing up the VPN?  

In Checkpoint, check your VPN community settings to make sure that "disable NAT inside the VPN" is NOT checked, as that will override any translation rules you write.  Then, it's as simple as setting up a rule in the address translation page.  You'll need to create multiple objects (server-inside, and server-outside), I assume this is a one-to-one-NAT.  source = server inside, destination = vpn peer (as the checkpoint sees it, which could be public, or private, depending on if the asa is translating it).  service = any.  xlated source = server outside, destination = original, service = original.

The most common problem I find with interoperable VPNs and Checkpoint is that the VPN domain doesn't match.  You need to setup the VPN domain (in the properties of the firewall enforcement point, and interopable device) EXACTLY as it's setup in the Cisco ASA.  This is what the Checkpoint uses to negotiate the tunnel, NOT the address in the source/destination of the VPN rule.
Let me know if you need more information, or a more specific answer.
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.


Author Comment

ID: 21760664
That makes sense. Would i create their peer as a network? or, as a node? For my translations:

Original Packet                                                        Translated
Source        Destination             Service                 Source            Destination            Service
My inside     Their Peer?             Any                      My Outside      Their inside?         Any

and reverse for traffic coming back?  

Author Comment

ID: 21760977
I think i messed that up..
My Inside -> Their Peer, any service   xlated to ->  My outside -> their peer, any service

so would the rule for incoming be:

their peer -> my outside, any service  xlated to  their peer -> myinside, any service  ?

Accepted Solution

mabutterfield earned 500 total points
ID: 21769717
Your outbound rule should be

your inside src -> VPN Peer (dest IP may NOT be same as VPN Peer), any service xlated to:
your outside src -> original dest, original dest

your inbound rule would be

their VPN Peer -> your outside dst, any service xlated to:
original -> your inside dst, original service


Author Closing Comment

ID: 31465754
Thank you very much for your assistance. The two sources are now "shaking hands" through the tunnel.

Expert Comment

ID: 24719649
Hi there,

I have setup a working vpn betweeen a checkpoint fw and a cisco asa

here what i did but you need to change the ip address and encryption settings etc!

Cisco ASA
external interface (outside):
internal interface (inside):
Check Point NGX
external interface (eth0):
internal interface (eth1):

on the checkpoint side.
Check Point NGX setup

In Check Point, first you need to define a new Interoperable Device which we'll call Cisco-ASA and in the IP address field, you'll enter the IP address of the external interface of Cisco ASA, in this case being

Next, you edit the toplogy of the device and enter:

eth0:, netmask; topology: Leads to internet
eth1:, netmask; topology: Internal, Network defined by IP address and netmask
Next, you need to create a new VPN community, type Star, with the following settings:

Center gateways: the object representing the Check Point enforcement point
Satellite gateways: the object representing the Cisco ASA device
VPN Properties:
IKE (Phase 1) Properties
Perform key exchange encryption with: AES-256
Perform data integrity with: SHA-1
IPSec (Phase 2) Properties
Perform IPSec data encryption with: AES-128
Perform data integrity with: SHA-1
Tunnel properties:
VPN Tunnel sharing: One VPN tunnel per subnet pair
Advanced settings
Use only SharedSecret for all external members
Advanced VPN Properties:
IKE (Phase 1):
Use Diffie-Helman Group: Group 2
NAT: Disable NAT inside VPN community

you need to create rule in the checkpoint fw two,

mine were
Source                          DEST                             VPN
1.net-cisco-asa               Net-Checkpoint            select vpn you just configure above.
2.Net-Checkpoint             net-cisco-asa              select vpn you just configure above.

verify and install policy, then try to connect from the checkpoint side, then the cisco side.



Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question