cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4187
Views
0
Helpful
5
Replies

How to configure ASA5520 to Checkpoint IPsec tunnel configuration

llmathenjwa
Level 1
Level 1

Hi Guys,and under stress, a lot of it!!!

I am have a problem, I have setup an IPsec tunnel between my ASA5520 to a Checkpoint Firewall (PE) CONFIG below (not real IP's)

object network ASA_MAPPED

subnet 4.4.4.0 255.255.255.0

object network CHECKPOINT_MAPPED

SUBNET 5.5.5.5.0 255.255.255.0

access-list OUT_CRYPTO extended permit ip object ASA_MAPPED object CHECKPOINT_MAPPED

crypto ipsec ikev1 transform-set CHECKPOINT_SET esp-aes esp-sha-hmac

nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static CHECKPOINT_MAPPED CHECKPOINT_MAPPED

nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static 4.4.4.11 5.5.5.11

crypto map OUTSIDE_MAP 5 match address OUT_CRYPTO

crypto map OUTSIDE_MAP 5 set peer X.X.X.X

crypto map OUTSIDE_MAP 5 set ikev1 transform-set CHECKPOINT_SET

crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 3600

crypto map CHECKPOINT_MAP interface OUTSIDE

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

ikev1 pre-shared-key 1234

crypto isakmp nat-traversal 10

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

IPsec Tunnel is up and i can access the servers on the other side via NATTED range, for example a server behind the Checkpoint with IP 10.90.55.11 is accessed from behind the ASA as 4.4.4.11, the problem is that I have never worked on a Checkpoint Firewall and from the servers/server 4.4.4.11 I cannot connect back to my environment Checkpoint is setup with a Tunnel interface which is also suppose to do NAT because of overlapping networks, at one point I added an access-list of any any and bidirectional routing was achieved but I encountered a new problem I could not overlook since my Public servers became unaccessecable since all traffic was getting encrypted and getting dropped at VPN: ipsec-tunnel-flow...at the moment the Tunnel is up and I can access the servers via NAT 4.4.4.11 but cannot access my internal servers.WHAT HAVE I DONE WRONG (also i do not have acess to Checkpoint Firewall (PE) ) how would their setup be or how it should be to allow for bidirectional routing????

========================================================

Crypto map tag: CHECKPOINT_MAP, seq num: 5, local addr: X.X.X.X

      access-list OUT_5_CRYPTO extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0

      local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)

      current_peer: X.X.X.X

      #pkts encaps: 3207, #pkts encrypt: 3207, #pkts digest: 3207

      #pkts decaps: 3417, #pkts decrypt: 3417, #pkts verify: 3417

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3207, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: X.X.X.X/0, remote crypto endpt.: X.X.X.X/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 5254EDC6

      current inbound spi : 36DAB960

    inbound esp sas:

      spi: 0x36DAB960 (920303968)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 19099648, crypto-map: CHECKPOINT_MAP

         sa timing: remaining key lifetime (kB/sec): (3914999/3537)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x0000000F

    outbound esp sas:

      spi: 0x5254EDC6 (1381297606)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 19099648, crypto-map: CHECKPOINT_MAP

         sa timing: remaining key lifetime (kB/sec): (3914999/3537)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

1 Accepted Solution

Accepted Solutions

unless I include any any on my access-list and the problem with that is  that my Public servers then get encrypted from the OUTSIDE interface  unless you know of a way to bypass the VPN

No,  u certainly shouldn't do permit 0.0.0.0 for proxy ACL. Again, your  config is fine. Plus, packet counts here show that traffic is going  throug the tunnel both ways:

#pkts encaps: 3207

#pkts decaps: 3417

Also, looking at this counters, I may assume that some traffic comes from the other site, but doesn't return back (maybe that's where you can't connect from behing Checkpoint). If you say that 0.0.0.0 solved the issue, Isn't there any other NAT rules for subnet behind ASA, so server IP, to wich you're trying to connect from behind checkpoint, translates to something else (not the range, included in proxy ACL), when going back?

View solution in original post

5 Replies 5

Andrew Phirsov
Level 7
Level 7

Why do u need this nat rule?:

nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static 4.4.4.11 5.5.5.11

From this config:

object network ASA_MAPPED

subnet 4.4.4.0 255.255.255.0

object network CHECKPOINT_MAPPED

SUBNET 5.5.5.5.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static CHECKPOINT_MAPPED CHECKPOINT_MAPPED,

I would assume, if sites have overlapping subnets, you're planning to traslate:

subnet behind Checkpoint when going to the ASA to look like 5.5.5.0/24

subnet behind ASA when going to Checkpint to look like 4.4.4.0/24

So to me, server behind checkpoint shold have IP 5.5.5.11 when connecting to it from behind ASA, not 4.4.4.11.

Except that nat rule, i mentioned, config seems to be normal for me.

What do you mean by saying that you don't have access to your internal servers? From where?

Hi Andrew,

the one-to-one nat is for our internal systems guys to be able to indtetify he server easily but you are correct there is no need for it however would this still work given that more than 5 sites will be connecting to that environment and its all different subnets and ranges.

also as i mentioned from my internal Network I can access the servers but the servers on the other side cannot unless I include any any on my access-list and the problem with that is that my Public servers then get encrypted from the OUTSIDE interface unless you know of a way to bypass the VPN: ipsec-tunnel-flow

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information

i have tried deny the IP and its Natted IP by adding line 1 as deny ip host (Nat IP) and (real IP) but was unsuccessful, so the question is how to get this working with Checkpoint for traffic to flow both ways

thanks for quick response, Appreciated in this time of frustration

unless I include any any on my access-list and the problem with that is  that my Public servers then get encrypted from the OUTSIDE interface  unless you know of a way to bypass the VPN

No,  u certainly shouldn't do permit 0.0.0.0 for proxy ACL. Again, your  config is fine. Plus, packet counts here show that traffic is going  throug the tunnel both ways:

#pkts encaps: 3207

#pkts decaps: 3417

Also, looking at this counters, I may assume that some traffic comes from the other site, but doesn't return back (maybe that's where you can't connect from behing Checkpoint). If you say that 0.0.0.0 solved the issue, Isn't there any other NAT rules for subnet behind ASA, so server IP, to wich you're trying to connect from behind checkpoint, translates to something else (not the range, included in proxy ACL), when going back?

Andrew,

from what you mention i think you are right and no there isnt any other NAT which is why i am so confused and also frustrated with this, if possible do you have or know any documentation that would cover the Checkpoint configuration to an ASA on overlapping Networks?

thanks for your support Andrew

No, I can just google for something like "cisco to checkpoint vpn overlapping subnet")) Unfortunately i've no experience with checkpoint as you, but to me there shouldn't be anything special about checkpoint. I just can't understand how two-way connection may work fine in one direction and don't in other. There shouldn't be something wrong with nat or routing but i a little frustrated what it mihgt be, having your explanations.. I'll let you know if i think of something.