07-16-2013 02:28 AM - edited 02-21-2020 07:01 PM
Hi Guys,and under stress, a lot of it!!!
I am have a problem, I have setup an IPsec tunnel between my ASA5520 to a Checkpoint Firewall (PE) CONFIG below (not real IP's)
object network ASA_MAPPED
subnet 4.4.4.0 255.255.255.0
object network CHECKPOINT_MAPPED
SUBNET 5.5.5.5.0 255.255.255.0
access-list OUT_CRYPTO extended permit ip object ASA_MAPPED object CHECKPOINT_MAPPED
crypto ipsec ikev1 transform-set CHECKPOINT_SET esp-aes esp-sha-hmac
nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static CHECKPOINT_MAPPED CHECKPOINT_MAPPED
nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static 4.4.4.11 5.5.5.11
crypto map OUTSIDE_MAP 5 match address OUT_CRYPTO
crypto map OUTSIDE_MAP 5 set peer X.X.X.X
crypto map OUTSIDE_MAP 5 set ikev1 transform-set CHECKPOINT_SET
crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 3600
crypto map CHECKPOINT_MAP interface OUTSIDE
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key 1234
crypto isakmp nat-traversal 10
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
IPsec Tunnel is up and i can access the servers on the other side via NATTED range, for example a server behind the Checkpoint with IP 10.90.55.11 is accessed from behind the ASA as 4.4.4.11, the problem is that I have never worked on a Checkpoint Firewall and from the servers/server 4.4.4.11 I cannot connect back to my environment Checkpoint is setup with a Tunnel interface which is also suppose to do NAT because of overlapping networks, at one point I added an access-list of any any and bidirectional routing was achieved but I encountered a new problem I could not overlook since my Public servers became unaccessecable since all traffic was getting encrypted and getting dropped at VPN: ipsec-tunnel-flow...at the moment the Tunnel is up and I can access the servers via NAT 4.4.4.11 but cannot access my internal servers.WHAT HAVE I DONE WRONG (also i do not have acess to Checkpoint Firewall (PE) ) how would their setup be or how it should be to allow for bidirectional routing????
========================================================
Crypto map tag: CHECKPOINT_MAP, seq num: 5, local addr: X.X.X.X
access-list OUT_5_CRYPTO extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0
local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
current_peer: X.X.X.X
#pkts encaps: 3207, #pkts encrypt: 3207, #pkts digest: 3207
#pkts decaps: 3417, #pkts decrypt: 3417, #pkts verify: 3417
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3207, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.X.X.X/0, remote crypto endpt.: X.X.X.X/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5254EDC6
current inbound spi : 36DAB960
inbound esp sas:
spi: 0x36DAB960 (920303968)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 19099648, crypto-map: CHECKPOINT_MAP
sa timing: remaining key lifetime (kB/sec): (3914999/3537)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x5254EDC6 (1381297606)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 19099648, crypto-map: CHECKPOINT_MAP
sa timing: remaining key lifetime (kB/sec): (3914999/3537)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Solved! Go to Solution.
07-16-2013 06:49 AM
unless I include any any on my access-list and the problem with that is that my Public servers then get encrypted from the OUTSIDE interface unless you know of a way to bypass the VPN
No, u certainly shouldn't do permit 0.0.0.0 for proxy ACL. Again, your config is fine. Plus, packet counts here show that traffic is going throug the tunnel both ways:
#pkts encaps: 3207
#pkts decaps: 3417
Also, looking at this counters, I may assume that some traffic comes from the other site, but doesn't return back (maybe that's where you can't connect from behing Checkpoint). If you say that 0.0.0.0 solved the issue, Isn't there any other NAT rules for subnet behind ASA, so server IP, to wich you're trying to connect from behind checkpoint, translates to something else (not the range, included in proxy ACL), when going back?
07-16-2013 06:08 AM
Why do u need this nat rule?:
nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static 4.4.4.11 5.5.5.11
From this config:
object network ASA_MAPPED
subnet 4.4.4.0 255.255.255.0
object network CHECKPOINT_MAPPED
SUBNET 5.5.5.5.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static ALLNETWORKS(10.0.0.0/16) ASA_MAPPED destination static CHECKPOINT_MAPPED CHECKPOINT_MAPPED,
I would assume, if sites have overlapping subnets, you're planning to traslate:
subnet behind Checkpoint when going to the ASA to look like 5.5.5.0/24
subnet behind ASA when going to Checkpint to look like 4.4.4.0/24
So to me, server behind checkpoint shold have IP 5.5.5.11 when connecting to it from behind ASA, not 4.4.4.11.
Except that nat rule, i mentioned, config seems to be normal for me.
What do you mean by saying that you don't have access to your internal servers? From where?
07-16-2013 06:22 AM
Hi Andrew,
the one-to-one nat is for our internal systems guys to be able to indtetify he server easily but you are correct there is no need for it however would this still work given that more than 5 sites will be connecting to that environment and its all different subnets and ranges.
also as i mentioned from my internal Network I can access the servers but the servers on the other side cannot unless I include any any on my access-list and the problem with that is that my Public servers then get encrypted from the OUTSIDE interface unless you know of a way to bypass the VPN: ipsec-tunnel-flow
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information
i have tried deny the IP and its Natted IP by adding line 1 as deny ip host (Nat IP) and (real IP) but was unsuccessful, so the question is how to get this working with Checkpoint for traffic to flow both ways
thanks for quick response, Appreciated in this time of frustration
07-16-2013 06:49 AM
unless I include any any on my access-list and the problem with that is that my Public servers then get encrypted from the OUTSIDE interface unless you know of a way to bypass the VPN
No, u certainly shouldn't do permit 0.0.0.0 for proxy ACL. Again, your config is fine. Plus, packet counts here show that traffic is going throug the tunnel both ways:
#pkts encaps: 3207
#pkts decaps: 3417
Also, looking at this counters, I may assume that some traffic comes from the other site, but doesn't return back (maybe that's where you can't connect from behing Checkpoint). If you say that 0.0.0.0 solved the issue, Isn't there any other NAT rules for subnet behind ASA, so server IP, to wich you're trying to connect from behind checkpoint, translates to something else (not the range, included in proxy ACL), when going back?
07-16-2013 06:57 AM
Andrew,
from what you mention i think you are right and no there isnt any other NAT which is why i am so confused and also frustrated with this, if possible do you have or know any documentation that would cover the Checkpoint configuration to an ASA on overlapping Networks?
thanks for your support Andrew
07-16-2013 07:03 AM
No, I can just google for something like "cisco to checkpoint vpn overlapping subnet")) Unfortunately i've no experience with checkpoint as you, but to me there shouldn't be anything special about checkpoint. I just can't understand how two-way connection may work fine in one direction and don't in other. There shouldn't be something wrong with nat or routing but i a little frustrated what it mihgt be, having your explanations.. I'll let you know if i think of something.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide