Cisco ASA to Checkpoint

I am having trouble with a couple things in regard to the following.

I Have an ASA where Cisco anyconnect users that connect to reach resources on the network. however, they are not able to reach anything over the tunnel that is from the ASA to the Checkpoint FW. everything else is just fine.

Is there any main "Gotchas" with Cisco ASA to CheckPoint firewalls?

Thank you.
Jordan TaylorNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Anyconnect can only connect to Cisco ASA firewalls, not Checkpoints.

But are you saying that behind the Cisco ASA is a Checkpoint fireall? Or is there a site2site vpn between the ASA and the Checkpoint? Please clarify the topology...
Jordan TaylorNetwork EngineerAuthor Commented:
Correct, there is a site-to-site VPN tunnel between the two ASA-to-Checkpoint.

When the users connect to the Cisco anyconnect they are able to function but they can't reach any behind the Checkpoint FW, But the users behind the Checkpoint can reach all networks as intended.

Thank you.
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
So, your issue can have many reasons. Like:

1) Your anyconnect-connection needs to be either full tunnel or the split-include list needs to include the networks behind the Checkpoint.

2) Your ASA crypto ACL (that defines what should be tunneled to Checkpoint) must include traffic from anyconnect (i.e the vpn pool) to the network(s) behind checkpoint.

3) Your checkpoint VPN domain needs to be defined so that Checkpoint understand that the vpn pool subnet exists beyond the vpn tunnel.

4) You need to do nat exemption for traffic from vpn pool to the checkpoint subnet.

5) You need to allow hairpinning of traffic so that inbound traffic from anyconnect will be allowed to u-turn back to outside (into the tunnel) . Look for the command sysopt-connection permit intra-interface.

To further help you we need to see the relevant parts of your ASA configuration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Jordan TaylorNetwork EngineerAuthor Commented:
Thank you, this was very helpful. let me take a look and I will get back to you.
Pete LongTechnical ConsultantCommented:
This is a simple 'spoke to spoke' VPN problem, I've done plenty where the remote site is an ASA but the fact its a checkpoint does not really matter, you just need to include the AnyConnect Subnet Range in the Checkpoint encryption domain (interesting traffic) and provide a NAT exemption for it also. below is the principle
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”

Jordan TaylorNetwork EngineerAuthor Commented:
Thank you, for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.