Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
987
Views
0
Helpful
3
Replies

Problem Site to Site - Checkpoint to Checkpoint - ASA inbetween

Awacs2000
Level 1
Level 1

‎11-03-2020 04:07 AM

Hi there!
One of our customers has the following scenario or problem.
There is a checkpoint firewall at location A. There is also a checkpoint firewall at location B, but an ASA is connected upstream.
The checkpoint is attached to the inside interface of the ASA. ASA is connected to the internet via Outside interface.
There is a Site2Site-connection between the Checkpoints, which is established without any problems.
However, no data flows back and forth.
If you ping from location A in direction B, the ping arrives at the B-Checkpoint in its log. However, the packet does not seem to find its way back into the tunnel to location A.
Nothing was changed at the Checkpoints. Only the ASA was upgrated from a 5506 to a 5510. I compared the configuration of teh old and new ASA. It actually fits so far.
Does anyone have an idea or a hint why the package is not finding its way back to location A?
When pinging from B to A there is nothing in the log of Checkpoint.
Do I still have to tick the ASA somewhere?

Labels:
0 Helpful
3 Replies 3

Julio E. Moisa
VIP Alumni
VIP Alumni

‎11-03-2020 04:16 AM

Hi

They should have a static NAT or other mechanism (on checkpoint) to avoid the packets use other way, check that or reset the VPN.

 

The static NAT on ASA is something like that:

 

object network PC-A

host x.x.x.x y.y.y.y

 

object network PC-B

host a.a.a.a b.b.b.b

 

nat (INSIDE,OUTSIDE) source static PC-A PC-A destination static PC-B PC-B 

 

Regards. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Awacs2000
Level 1
Level 1
In response to Julio E. Moisa

‎11-03-2020 05:49 AM - edited ‎11-03-2020 07:08 AM

I talked to the customer and he told me, that there was absolutely no change on the Check Points. And when he is placing the old ASA again, it is working.
But when comparing the ASAs-config-flles with e.g. Notepadd++, we cannot see any signficant difference in the configuration.

Strange.

 

Only difference I saw:

inspect ipsec-pass-thru

was not configured on the old ASA

0 Helpful

Awacs2000
Level 1
Level 1

‎11-04-2020 05:14 AM - edited ‎11-04-2020 05:15 AM

Hm, no problem with ipsec-pas-thru. Customer tried that.

I saw another difference on the "new" 5508. Firepower-module is active/up, but it´s not configured.
Is it possible that Firepower is blocking something in the background e.g the ping or RDP?
We cannot disable it currently for testing, because of business, of course.

We checked Check Point firewalls again with another colleague of mine and it´s fine. Also, when putting the former ASA is place it is working.
But, as already meantioned, when comparing both config-files, there is no difference but the ipsec-pass-thru configuration which we already disabeld. Did not help.

0 Helpful
Customers Also Viewed These Support Documents