Cisco ASA to Checkpoint

Jordan Taylor
Jordan Taylor used Ask the Experts™
on
I am having trouble with a couple things in regard to the following.

I Have an ASA where Cisco anyconnect users that connect to reach resources on the network. however, they are not able to reach anything over the tunnel that is from the ASA to the Checkpoint FW. everything else is just fine.

Is there any main "Gotchas" with Cisco ASA to CheckPoint firewalls?

Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Anyconnect can only connect to Cisco ASA firewalls, not Checkpoints.

But are you saying that behind the Cisco ASA is a Checkpoint fireall? Or is there a site2site vpn between the ASA and the Checkpoint? Please clarify the topology...
Jordan TaylorNetwork Engineer

Author

Commented:
Correct, there is a site-to-site VPN tunnel between the two ASA-to-Checkpoint.

When the users connect to the Cisco anyconnect they are able to function but they can't reach any behind the Checkpoint FW, But the users behind the Checkpoint can reach all networks as intended.


Thank you.
Network and Security consultant
Commented:
So, your issue can have many reasons. Like:

1) Your anyconnect-connection needs to be either full tunnel or the split-include list needs to include the networks behind the Checkpoint.

2) Your ASA crypto ACL (that defines what should be tunneled to Checkpoint) must include traffic from anyconnect (i.e the vpn pool) to the network(s) behind checkpoint.

3) Your checkpoint VPN domain needs to be defined so that Checkpoint understand that the vpn pool subnet exists beyond the vpn tunnel.

4) You need to do nat exemption for traffic from vpn pool to the checkpoint subnet.

5) You need to allow hairpinning of traffic so that inbound traffic from anyconnect will be allowed to u-turn back to outside (into the tunnel) . Look for the command sysopt-connection permit intra-interface.

To further help you we need to see the relevant parts of your ASA configuration.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Jordan TaylorNetwork Engineer

Author

Commented:
Thank you, this was very helpful. let me take a look and I will get back to you.
Pete LongTechnical Consultant
Commented:
This is a simple 'spoke to spoke' VPN problem, I've done plenty where the remote site is an ASA but the fact its a checkpoint does not really matter, you just need to include the AnyConnect Subnet Range in the Checkpoint encryption domain (interesting traffic) and provide a NAT exemption for it also. below is the principle
Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”

P
Jordan TaylorNetwork Engineer

Author

Commented:
Thank you, for the help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial