02-18-2011 06:20 AM
I have a problem with a L2L VPN between ASA and Checkpoint R71 VPN I can ping it up to the network that is behind the checkpoint but they can not make me pin. Your help please
Thanks,
02-18-2011 06:56 AM
Hi,
If you can PING from the ASA side to the Checkpoint but not in the opposite direction, most likely the problem is on the Checkpoint side.
You can check on the ASA if you're receiving (decrypting) packets when they initiate the PING (most likely the ASA is not receving the packets).
Check it with the command sh cry ips sa
Federico.
02-19-2011 05:17 AM
1- does the checkpoint firewall have rule to allow icmp recho-request from network behind the Checkpoint firewall over to network behind the ASA? They may have allowed icmp echo-reply from their side back to you but not icmp echo-request
2- run "fw monitor" on the checkpoint and see if the icmp echo-request packet make it to the Checkpoint internal interface and going out of the Checkpoint VPN interface. If you understand how checkpoint work, you should see -iI and -oO (pre-process = small letter and post-process = Captical letter) how the traffics is processed by the firewall.
3- Either that you the icmp echo-request is being dropped by Checkpoint IPS,
02-20-2011 07:07 AM
the solution of this was the following
at the checkpoint must enable the option nat-transversal after that the PC I responded to ping the VPN in ASA with the normal configuration only that we must change.
Thanks.
Alfredo Elias.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide