Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
0
Helpful
0
Replies

Cisco to Checkpoint IPSec VPN Communication Issues

aastaguy
Level 1
Level 1

‎06-16-2020 10:57 AM

Hi All,


New to Cisco, but I have managed to setup a IPSEC VPN from a checkpoint appliance to a Cisco ISR 1100. I have a private network on both sides, I have really inconsistent ping results at best, and can't really communicate in between the 2 segments in any other way. IP addresses have been changed, any help is greatly appreciated. The end goal is that nobody but the 2 segments can talk to each other, but the 2 segments can talk to each other over any port. I feel like this has something to do with NATting, but I have tried everything I can think of. 

 

Capture.PNG

 

So right now, 192.168.1.1 behind the cisco can ping a single host fairly consistently behind the checkpoint 192.168.2.10, but cannot ping at all 192.168.2.1. Ping the other way works to the VLAN IP and the VRRP IP from 192.168.2.10, but not to 192.168.1.1 and again, nothing works from 192.168.2.1 

 

Everything else I have tried, ssh, rdp, etc...fails as well. tunnel appears established and stable on both sides. Checkpoint side has an any any rule back and forth and does not appear to be dropping traffic, it appears to be encrypting and decrypting as it should. 

 

show run
Building configuration...


Current configuration : 10132 bytes
!
! Last configuration change at 09:14:57 PDT Tue Jun 16 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor

!
no aaa new-model
clock timezone pacific -8 0
clock summer-time PDT recurring
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
ip name-server  8.8.8.8
ip domain name mydomainname
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
!
!
!
cts logging verbose
no license feature hseck9
license udi pid C1111-4PLTEEA sn FGL2410L149
license boot level securityk9
license smart enable
license smart conversion automatic
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
controller Cellular 0/2/0
lte sim data-profile 3 attach-profile 3 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key mypresharedkey address XXX.XXX.XXX.XXX (Checkpoint Public IP)
!
!
crypto ipsec transform-set VPN1 esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map VPN-MAP 1 ipsec-isakmp
set peer XXX.XXX.XXX.XXX (Checkpoint Pub IP)
set transform-set VPN1
match address 198
!
!
!
!
!
!
!
!
interface Loopback1
description ### always-on interface ###
ip address 1.2.3.4 255.255.255.255
!
interface Loopback4321
description ### DMNR NEMO Router Address -- Dummy non-routable IP ###
ip address 4.3.2.1 255.255.255.255
!
interface GigabitEthernet0/0/0
description Internal - 192.168.150.0
no ip address
ip tcp adjust-mss 1300
ip policy route-map clear-df
negotiation auto
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/1/0
ip access-group 100 out
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
switchport access vlan 100
switchport mode access
!
interface Cellular0/2/0
description Primary_
ip address negotiated
no ip unreachables
ip nat outside
ip access-group 150 in
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer watch-group 1
dialer-group 1
ipv6 enable
pulse-time 1
crypto map VPN-MAP
!
interface Cellular0/2/1
no ip address
!
interface Vlan1 (Different unused port at the moment)
ip address 192.168.150.250 255.255.255.0
ip tcp adjust-mss 1390
ip policy route-map clear-df
ntp broadcast
vrrp 91 ip 192.168.150.252
vrrp 91 priority 110
!
interface Vlan100
ip address 192.168.1.250 255.255.255.0
ip nat inside
ip tcp adjust-mss 1390
ip policy route-map clear-df
ntp broadcast
vrrp 100 ip 192.168.1.252
vrrp 100 priority 110
!
ip nat pool INTERNET YYY.YYY.YYY.YYY YYY.YYY.YYY.YYY (Both are pub IP of Cisco ISR) netmask 255.255.255.252
ip nat inside source route-map nonat pool INTERNET
ip forward-protocol nd
ip tcp mss 1300
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh version 2
!
!
access-list 100 permit ip 192.168.150.0 0.0.0.255 any log
access-list 150 permit ip host XXX.XXX.XXX.XXX (Pub IP of Checkpoint) any log
access-list 150 permit icmp host 8.8.8.8 any log
access-list 150 permit udp host 8.8.8.8 eq domain any
access-list 150 permit udp host 198.224.174.135 eq domain any
access-list 150 permit udp host 198.224.173.135 eq domain any
access-list 150 deny ip any any log
access-list 151 permit tcp any any log
access-list 198 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.255 log
access-list 198 deny ip 192.168.1.0 0.0.0.255 any log
access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.1.254 log
access-list 199 permit ip 192.168.1.0 0.0.0.255 any log
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
!
route-map clear-df permit 10
set ip df 0
!
route-map nonat permit 10
match ip address 199
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
!
!
!
!
!
!
end

 

This is non-prod, so I can gut and revamp as needed. Any help is greatly appreciated!

 

Thank you in advance!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents