We help IT Professionals succeed at work.

Cisco ASA to Checkpoint

Jordan Taylor
on
I am having trouble with a couple things in regard to the following.

I Have an ASA where Cisco anyconnect users that connect to reach resources on the network. however, they are not able to reach anything over the tunnel that is from the ASA to the Checkpoint FW. everything else is just fine.

Is there any main "Gotchas" with Cisco ASA to CheckPoint firewalls?

Thank you.
Comment
Watch Question

Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Anyconnect can only connect to Cisco ASA firewalls, not Checkpoints.

But are you saying that behind the Cisco ASA is a Checkpoint fireall? Or is there a site2site vpn between the ASA and the Checkpoint? Please clarify the topology...
Jordan TaylorNetwork Engineer

Author

Commented:
Correct, there is a site-to-site VPN tunnel between the two ASA-to-Checkpoint.

When the users connect to the Cisco anyconnect they are able to function but they can't reach any behind the Checkpoint FW, But the users behind the Checkpoint can reach all networks as intended.


Thank you.
Network and Security consultant
Commented:
So, your issue can have many reasons. Like:

1) Your anyconnect-connection needs to be either full tunnel or the split-include list needs to include the networks behind the Checkpoint.

2) Your ASA crypto ACL (that defines what should be tunneled to Checkpoint) must include traffic from anyconnect (i.e the vpn pool) to the network(s) behind checkpoint.

3) Your checkpoint VPN domain needs to be defined so that Checkpoint understand that the vpn pool subnet exists beyond the vpn tunnel.

4) You need to do nat exemption for traffic from vpn pool to the checkpoint subnet.

5) You need to allow hairpinning of traffic so that inbound traffic from anyconnect will be allowed to u-turn back to outside (into the tunnel) . Look for the command sysopt-connection permit intra-interface.

To further help you we need to see the relevant parts of your ASA configuration.
Jordan TaylorNetwork Engineer

Author

Commented:
Thank you, this was very helpful. let me take a look and I will get back to you.
Pete LongTechnical Consultant
Distinguished Expert 2019
Commented:
This is a simple 'spoke to spoke' VPN problem, I've done plenty where the remote site is an ASA but the fact its a checkpoint does not really matter, you just need to include the AnyConnect Subnet Range in the Checkpoint encryption domain (interesting traffic) and provide a NAT exemption for it also. below is the principle
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”

P
Jordan TaylorNetwork Engineer

Author

Commented:
Thank you, for the help.