Tunnel PIX-CheckPoint

pslavkovsky · ‎10-14-2004

Hi,

I would create a VPN Tunnel between PIX and CheckPoint.

Exists some recommendations or do you have some experience with this situation ?

Thank you very much for your tips.

Peter

paddyxdoyle · ‎10-14-2004

Peter,

The following links should help you, the first is for FW1 4.1 and the second for NG

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

HTH

PD

Patrick Iseli · ‎10-14-2004

Follow the instruction in the post before and take care of the point bellow:

1.) The SA Lifetime time is diffrent in the Cisco to CheckPoint implementation. Both have to be equal

2.) Some Checkpoint version are just able communicate with a PIX in DH Group 1, I don't know why. Same for PFS Perfect forward Secret if you use that.

3.) Define the PIX as an embedded device in the CP config tab.

4.) Take care of your VPN access-list in the PIX and the VPN Domain on your CheckPoint FW definition.

Hope that helps

Patrick

pslavkovsky · ‎10-15-2004

Thanks,

But I do not clear understand point 4.

Please, explain it.

Thanks

Peter

Patrick Iseli · ‎10-15-2004

The VPN access-list defines the interesting traffic, as used for ISDN configs for example, this defines which internal traffic is encrypted.

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN

This is the same thing as the encryption domain in CheckPoints language.

Be sure that they are identical, otherwise the policy is not accepted by the PIX.

sincerely

Patrick

pslavkovsky · ‎10-15-2004

Patrick,

Thank you very much for your help.

Peter