Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
4
Replies

ASA to Checkpoint

diccondupre
Level 1
Level 1

‎10-01-2007 06:23 AM - edited ‎02-21-2020 01:42 AM

Hi there, we have an ASA 5510 and have a VPN to a 3rd party who use a Checkpoint R62 Secure Platform with 4.1 Nokia IPSO and there are a few problems with the VPN establishment.

We know there are lifetime differences and have set according the 3rd parties specifications, we have had issues in the past with Checkpoint devices but with this one we quite often see the tunnel come up, traffic passes from our network to their with response back but they cannot access our network.

Are there any Cisco documents about compatability issues or similar? In terms of config changes we are pretty certain ours is fine as the VPN eventually stabilises and they can send traffic too so the lifetimes and all other authentication and encryption should be ok.

TIA!

0 Helpful
4 Replies 4

Danilo Dy
VIP Alumni
VIP Alumni

‎10-01-2007 07:10 AM

Hi,

Have you checked this http://www.cisco.com/warp/public/707/pix-checkpt.html

CheckPoint has the best logging of all the firewall in the world. Have you ask the CheckPoint firewall admin to check their logs?

Regards,

Dandy

0 Helpful

diccondupre
Level 1
Level 1
In response to Danilo Dy

‎10-01-2007 07:14 AM

Thanks for the link Dandy, our side of the config is basically the same with obvious changes for being ASA, as far as their side they are a financial house and are unwilling to offer any information to us. I will re-query them but if anyone else has any useful information that would be cool.

0 Helpful

brownr
Level 1
Level 1

‎10-10-2007 12:51 PM

Make sure the network definitions (ie subnet masks) for your encryption domain and that of the Check Point gateway match exactly. If they are not defined the same, Check Point will often fail phase 2 for outbound traffic, while inbound traffic at the CP gateway will work fine.

Cheers!

Ron

0 Helpful

johnnylingo
Level 5
Level 5
In response to brownr

‎01-19-2008 03:29 PM

Just wanted to reiterate this...key word here is *exactly*. We tried this last week and found out that if the Checkpoint is set to summarize some subets (for example 192.168.0.0/23) and the ASA is set for 192.168.0.0/24 and 192.168.1.0/24, the tunnel will come up and work for a couple hours before dropping and not coming back. Having them exactly the same on both ends fixed everything.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card