cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3456
Views
0
Helpful
3
Replies

Site to Site vpn configuring on ASA5510 and CHECK POINT.

meet_mkhan
Level 1
Level 1

Hi,Experts              

  I am trying to establish a site to site vpn tunnel between cisco asa5510 and check point.

               when i  configured all configuration of checkpoint and asa5510 the tunnel is not  established.   

                and at as5510 it shows some error message pls check the attached file for configuration and sh commands.    

                        kindly help me in solving this issues.

                          Thankx a lot in advance.

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

From the "show crypto isa sa" output, the status is MM_Active, which means phase 1 is UP.

Debug output doesn't really provide much information for phase 2. You might want to try to collect "debug crypto ipsec" output, and make sure that you can see the full debug output, and also grab the "show crypto ipsec sa" output.

From configuration, I notice a few things:

1) ACL 115, you do not need the second line "access-list 115 extended deny ip 192.168.11.0 255.255.255.0 any", please remove it.

2) The outside interface of the ASA is private ip address, therefore, I assume that you are doing NATing in front of the ASA. Can you please confirm whether it is static 1:1 NAT. Phase 2 normally uses ESP (protocol), and it is not a TCP or UDP port, therefore, if you are using PAT/dynamic NAT to translate the ASA outside interface ip address, it would fail.

3) If you can share the debug for phase 2 from Check Point side, maybe it will show us something.

Hi,

    pls check the file attached after removing the line line "access-list 115 extended deny ip 192.168.11.0 255.255.255.0 any",

   and the sh cryoto isakmp o/p .but when i put debug crypto ipsec i find nothing i,e no debug messeges.

the outside interface of the ASA is private ip address,  therefore, I am  doing Static NAT i,e  1:1 in front of the ASA.  .

How are you session into the ASA firewall?

If you either telnet or SSH to it, you might want to turn on "logging monitor debugging" and "term mon". If you console to it, then turn on "logging console debugging" to see the output of the debug.