Solved

How do I configure a Checkpoint to Cisco ASA VPN Tunnel?

Posted on 2008-06-10
8
10,394 Views
Last Modified: 2013-11-16
I am trying to create a tunnel between our company Checkpoint Firewall and a clients Cisco ASA 5510.

Current Situation:

Phase 1 settings are fine on both sides,matching.

Phase 2:
       
ASA:
 Remote peer : XX.XX.82.73
 Local public ip (outside): XX.XX.32.4

Interesting traffic (proxy):
 Source: XX.XX.32.27
 Destination : XX.XX.82.75

Checkpoint
According to our debug information we are receiving from remote site:
Interesting traffic (proxy):
 Source: XX.XX.82.73
 Destination: XX.XX.32.4
ASA is dropping it since it's not matching the traffic.

The private ip of internal server on Checkpoint side is: 172.23.45.14 and it should be nated to XX.XX.82.75.. If this is correct, then XX.XX.82.75 should travel through the tunnel searching for XX.XX.32.27. With a peer XX.XX.32.4 (where the tunnel will end).

My question is how do i configure the tunnel on checkpoint side to match the ASA configuration so they can talk to each other? I am using a Nokia IP130 with the SmartDashboard R55 to configure the Checkpoint firewall.
0
Comment
Question by:ouelletteg47
8 Comments
 
LVL 8

Expert Comment

by:Jeff Perry
Comment Utility
I am not familiar with checkpoint so I cant say on how to configure it.

What is jumping out at me is that the ASA is dropping the traffic from .73 and you are wanting the interesting traffic to come from .75

Without being able to tell you how to configure it I would look at the checkpoint conf section that deals with natting the outbound traffic to the .32.XX network to make sure that it gets natted to .75
0
 

Author Comment

by:ouelletteg47
Comment Utility
Thanks for the comment, I am not entirely sure how to configure the address translation for the scenario I've outlined. I'll wait until I hear from someone experienced in Checkpoint.
0
 
LVL 7

Expert Comment

by:mabutterfield
Comment Utility
Is your question about address translation, or bringing up the VPN?  

In Checkpoint, check your VPN community settings to make sure that "disable NAT inside the VPN" is NOT checked, as that will override any translation rules you write.  Then, it's as simple as setting up a rule in the address translation page.  You'll need to create multiple objects (server-inside, and server-outside), I assume this is a one-to-one-NAT.  source = server inside, destination = vpn peer (as the checkpoint sees it, which could be public, or private, depending on if the asa is translating it).  service = any.  xlated source = server outside, destination = original, service = original.

The most common problem I find with interoperable VPNs and Checkpoint is that the VPN domain doesn't match.  You need to setup the VPN domain (in the properties of the firewall enforcement point, and interopable device) EXACTLY as it's setup in the Cisco ASA.  This is what the Checkpoint uses to negotiate the tunnel, NOT the address in the source/destination of the VPN rule.
 
Let me know if you need more information, or a more specific answer.
0
 

Author Comment

by:ouelletteg47
Comment Utility
That makes sense. Would i create their peer as a network? or, as a node? For my translations:

Original Packet                                                        Translated
Source        Destination             Service                 Source            Destination            Service
My inside     Their Peer?             Any                      My Outside      Their inside?         Any

and reverse for traffic coming back?  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ouelletteg47
Comment Utility
I think i messed that up..
My Inside -> Their Peer, any service   xlated to ->  My outside -> their peer, any service

so would the rule for incoming be:

their peer -> my outside, any service  xlated to  their peer -> myinside, any service  ?
 
0
 
LVL 7

Accepted Solution

by:
mabutterfield earned 500 total points
Comment Utility
Your outbound rule should be

your inside src -> VPN Peer (dest IP may NOT be same as VPN Peer), any service xlated to:
your outside src -> original dest, original dest

your inbound rule would be

their VPN Peer -> your outside dst, any service xlated to:
original -> your inside dst, original service

0
 

Author Closing Comment

by:ouelletteg47
Comment Utility
Thank you very much for your assistance. The two sources are now "shaking hands" through the tunnel.
0
 
LVL 1

Expert Comment

by:fcar807
Comment Utility
Hi there,

I have setup a working vpn betweeen a checkpoint fw and a cisco asa

here what i did but you need to change the ip address and encryption settings etc!

Cisco ASA
external interface (outside): 1.2.3.4/255.255.255.252
internal interface (inside): 10.20.40.1/255.255.255.0
Check Point NGX
external interface (eth0): 5.6.7.8/255.255.255.252
internal interface (eth1): 10.40.20.1/255.255.255.0

on the checkpoint side.
Check Point NGX setup

In Check Point, first you need to define a new Interoperable Device which we'll call Cisco-ASA and in the IP address field, you'll enter the IP address of the external interface of Cisco ASA, in this case being 1.2.3.4

Next, you edit the toplogy of the device and enter:

eth0: 1.2.3.4, netmask 255.255.255.255; topology: Leads to internet
eth1: 10.20.40.1, netmask 255.255.255.0; topology: Internal, Network defined by IP address and netmask
Next, you need to create a new VPN community, type Star, with the following settings:

Center gateways: the object representing the Check Point enforcement point
Satellite gateways: the object representing the Cisco ASA device
VPN Properties:
IKE (Phase 1) Properties
Perform key exchange encryption with: AES-256
Perform data integrity with: SHA-1
IPSec (Phase 2) Properties
Perform IPSec data encryption with: AES-128
Perform data integrity with: SHA-1
Tunnel properties:
VPN Tunnel sharing: One VPN tunnel per subnet pair
Advanced settings
SharedSecret
Use only SharedSecret for all external members
Advanced VPN Properties:
IKE (Phase 1):
Use Diffie-Helman Group: Group 2
NAT: Disable NAT inside VPN community

you need to create rule in the checkpoint fw two,

mine were
Source                          DEST                             VPN
1.net-cisco-asa               Net-Checkpoint            select vpn you just configure above.
2.Net-Checkpoint             net-cisco-asa              select vpn you just configure above.

verify and install policy, then try to connect from the checkpoint side, then the cisco side.

Thanks
Frank

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now