Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I configure a Checkpoint to Cisco ASA VPN Tunnel?

Posted on 2008-06-10
8
Medium Priority
?
11,144 Views
Last Modified: 2013-11-16
I am trying to create a tunnel between our company Checkpoint Firewall and a clients Cisco ASA 5510.

Current Situation:

Phase 1 settings are fine on both sides,matching.

Phase 2:
       
ASA:
 Remote peer : XX.XX.82.73
 Local public ip (outside): XX.XX.32.4

Interesting traffic (proxy):
 Source: XX.XX.32.27
 Destination : XX.XX.82.75

Checkpoint
According to our debug information we are receiving from remote site:
Interesting traffic (proxy):
 Source: XX.XX.82.73
 Destination: XX.XX.32.4
ASA is dropping it since it's not matching the traffic.

The private ip of internal server on Checkpoint side is: 172.23.45.14 and it should be nated to XX.XX.82.75.. If this is correct, then XX.XX.82.75 should travel through the tunnel searching for XX.XX.32.27. With a peer XX.XX.32.4 (where the tunnel will end).

My question is how do i configure the tunnel on checkpoint side to match the ASA configuration so they can talk to each other? I am using a Nokia IP130 with the SmartDashboard R55 to configure the Checkpoint firewall.
0
Comment
Question by:ouelletteg47
8 Comments
 
LVL 8

Expert Comment

by:Jeff Perry
ID: 21752100
I am not familiar with checkpoint so I cant say on how to configure it.

What is jumping out at me is that the ASA is dropping the traffic from .73 and you are wanting the interesting traffic to come from .75

Without being able to tell you how to configure it I would look at the checkpoint conf section that deals with natting the outbound traffic to the .32.XX network to make sure that it gets natted to .75
0
 

Author Comment

by:ouelletteg47
ID: 21753012
Thanks for the comment, I am not entirely sure how to configure the address translation for the scenario I've outlined. I'll wait until I hear from someone experienced in Checkpoint.
0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21760437
Is your question about address translation, or bringing up the VPN?  

In Checkpoint, check your VPN community settings to make sure that "disable NAT inside the VPN" is NOT checked, as that will override any translation rules you write.  Then, it's as simple as setting up a rule in the address translation page.  You'll need to create multiple objects (server-inside, and server-outside), I assume this is a one-to-one-NAT.  source = server inside, destination = vpn peer (as the checkpoint sees it, which could be public, or private, depending on if the asa is translating it).  service = any.  xlated source = server outside, destination = original, service = original.

The most common problem I find with interoperable VPNs and Checkpoint is that the VPN domain doesn't match.  You need to setup the VPN domain (in the properties of the firewall enforcement point, and interopable device) EXACTLY as it's setup in the Cisco ASA.  This is what the Checkpoint uses to negotiate the tunnel, NOT the address in the source/destination of the VPN rule.
 
Let me know if you need more information, or a more specific answer.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ouelletteg47
ID: 21760664
That makes sense. Would i create their peer as a network? or, as a node? For my translations:

Original Packet                                                        Translated
Source        Destination             Service                 Source            Destination            Service
My inside     Their Peer?             Any                      My Outside      Their inside?         Any

and reverse for traffic coming back?  
0
 

Author Comment

by:ouelletteg47
ID: 21760977
I think i messed that up..
My Inside -> Their Peer, any service   xlated to ->  My outside -> their peer, any service

so would the rule for incoming be:

their peer -> my outside, any service  xlated to  their peer -> myinside, any service  ?
 
0
 
LVL 7

Accepted Solution

by:
mabutterfield earned 2000 total points
ID: 21769717
Your outbound rule should be

your inside src -> VPN Peer (dest IP may NOT be same as VPN Peer), any service xlated to:
your outside src -> original dest, original dest

your inbound rule would be

their VPN Peer -> your outside dst, any service xlated to:
original -> your inside dst, original service

0
 

Author Closing Comment

by:ouelletteg47
ID: 31465754
Thank you very much for your assistance. The two sources are now "shaking hands" through the tunnel.
0
 
LVL 1

Expert Comment

by:fcar807
ID: 24719649
Hi there,

I have setup a working vpn betweeen a checkpoint fw and a cisco asa

here what i did but you need to change the ip address and encryption settings etc!

Cisco ASA
external interface (outside): 1.2.3.4/255.255.255.252
internal interface (inside): 10.20.40.1/255.255.255.0
Check Point NGX
external interface (eth0): 5.6.7.8/255.255.255.252
internal interface (eth1): 10.40.20.1/255.255.255.0

on the checkpoint side.
Check Point NGX setup

In Check Point, first you need to define a new Interoperable Device which we'll call Cisco-ASA and in the IP address field, you'll enter the IP address of the external interface of Cisco ASA, in this case being 1.2.3.4

Next, you edit the toplogy of the device and enter:

eth0: 1.2.3.4, netmask 255.255.255.255; topology: Leads to internet
eth1: 10.20.40.1, netmask 255.255.255.0; topology: Internal, Network defined by IP address and netmask
Next, you need to create a new VPN community, type Star, with the following settings:

Center gateways: the object representing the Check Point enforcement point
Satellite gateways: the object representing the Cisco ASA device
VPN Properties:
IKE (Phase 1) Properties
Perform key exchange encryption with: AES-256
Perform data integrity with: SHA-1
IPSec (Phase 2) Properties
Perform IPSec data encryption with: AES-128
Perform data integrity with: SHA-1
Tunnel properties:
VPN Tunnel sharing: One VPN tunnel per subnet pair
Advanced settings
SharedSecret
Use only SharedSecret for all external members
Advanced VPN Properties:
IKE (Phase 1):
Use Diffie-Helman Group: Group 2
NAT: Disable NAT inside VPN community

you need to create rule in the checkpoint fw two,

mine were
Source                          DEST                             VPN
1.net-cisco-asa               Net-Checkpoint            select vpn you just configure above.
2.Net-Checkpoint             net-cisco-asa              select vpn you just configure above.

verify and install policy, then try to connect from the checkpoint side, then the cisco side.

Thanks
Frank

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question