Problem VPN L2L ASA CHECKPOINT R71

alfredoelias · ‎02-18-2011

I have a problem with a L2L VPN between ASA and Checkpoint R71 VPN I can ping it up to the network that is behind the checkpoint but they can not make me pin. Your help please

Thanks,

Federico Coto Fajardo · ‎02-18-2011

Hi,

If you can PING from the ASA side to the Checkpoint but not in the opposite direction, most likely the problem is on the Checkpoint side.

You can check on the ASA if you're receiving (decrypting) packets when they initiate the PING (most likely the ASA is not receving the packets).

Check it with the command sh cry ips sa

Federico.

cciesec2011 · ‎02-19-2011

1- does the checkpoint firewall have rule to allow icmp recho-request from network behind the Checkpoint firewall over to network behind the ASA? They may have allowed icmp echo-reply from their side back to you but not icmp echo-request

2- run "fw monitor" on the checkpoint and see if the icmp echo-request packet make it to the Checkpoint internal interface and going out of the Checkpoint VPN interface. If you understand how checkpoint work, you should see -iI and -oO (pre-process = small letter and post-process = Captical letter) how the traffics is processed by the firewall.

3- Either that you the icmp echo-request is being dropped by Checkpoint IPS,

alfredoelias · ‎02-20-2011

the solution of this was the following

at the checkpoint must enable the option nat-transversal after that the PC I responded to ping the VPN in ASA with the normal configuration only that we must change.

Thanks.

Alfredo Elias.