cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1188
Views
0
Helpful
3
Replies
Beginner

ASA 5510 Behind CheckPoint FW

I originally had the 5510 configured and working when the CheckPoint FW wasn't in the picture. We then decided to move the 5510 behind the CheckPoint FW so that we could configure the CheckPoint as the gateway using an ARIN IP address. Since moving it behind the firewall I can't get an IPSEC VPN connection to connect, and I also don't see any traffic on any of the device logs.

I'm thinking that there may still be an issue with the CheckPoint FW setup, but wanted to see if anyone else could offer any suggestions. I didn't set up the interface on the CheckPoint and I also don't have visibility into it so I'm just trying to make sure everything on my side is ok.

Attaching config from the ASA 5510.

THANKS

ASA Version 8.2(5)

!

hostname ASA

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/1

nameif outside_ARIN

security-level 0

ip address 74.116.xxx.xxx 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 192.168.xxx.xxx 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.xxx.xxx 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_ARIN_1_cryptomap extended permit ip any 192.168.xxx.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.xxx.0 255.255.255.0

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside_ARIN 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside_ARIN 0.0.0.0 0.0.0.0 74.116.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.xxx.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_ARIN_map 1 match address outside_ARIN_1_cryptomap

crypto map outside_ARIN_map 1 set pfs

crypto map outside_ARIN_map 1 set peer 67.79.xxx.xxx

crypto map outside_ARIN_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_ARIN_map 1 set security-association lifetime seconds 3600

crypto map outside_ARIN_map 1 set phase1-mode aggressive

crypto map outside_ARIN_map interface outside_ARIN

crypto isakmp enable outside_ARIN

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.10.xxx.xxx-10.10.xxx.xxx management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 67.79.xxx.xxx type ipsec-l2l

tunnel-group 67.79.xxx.xxx ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:91aef8bb6c039f259e87c98020eaf90b

: end

no asdm history enable

Everyone's tags (6)
3 REPLIES 3
Highlighted
Enthusiast

Re: ASA 5510 Behind CheckPoint FW

1- are you using Private IP address on the ASA outside interface?  If that is true, you need the checkpoint to do the NAT for the ASA

2- create rule on the Checkpoint FW to allow IPSec (udp-500, udp 4500 " for NAT-T" and proto 50 "ESP")between remote VPN peer and your ASA device.

Easy right?

Highlighted
Beginner

ASA 5510 Behind CheckPoint FW

THANKS!!! I'll give that a try today. Yes, we are using a private dedicated WAN address for the outside interface. So I should remove the nat (inside) 0 access-list inside_nat0_outbound statement from the ASA and set the CheckPoint to NAT?

Highlighted
Enthusiast

ASA 5510 Behind CheckPoint FW

You should NOT remove any thing on the ASA. 

You just need to change the ASA outside interface IP address from 74.116.xxx.xxx to a new RFC 1918 private address (10.1.1.1?) and let the Checkpoint firewall to NA T74.116.xxx.xxx to 10.1.1.1

Unless you have other things in mind.