Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
4
Replies

VPN between Cisco and Check Point with ISP redundancy

simone-mantovani
Level 1
Level 1

‎11-05-2024 12:12 AM

Hello Everyone

this is my first post; I need some suggestions; in the next days I'll configure a VPN  between a Cisco ASA firewall and a Check Point Firewall (SMB device).

The ASA has only one WAN, while the Check Point has 2 WANs; the VPN will be configured as a route-based VPN defining numbered VTIs for each tunnel.

On ASA side Is there any specific configuration to pay attention to? I think, for example, posible issue for peer ID, because the VPNs will be two but the Check Point is only, so it will be seen by the ASA always as the same firewall.

 

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎11-05-2024 12:27 AM

@simone-mantovani from the ASA's perspective it should be straight forward, it will peer with two unique IP addresses on the Check Point using the ASA's outside interface IP address as the local identity as default. With the VPN established you can then run a routing protocol and either load balance over both tunnels or set a preference on one tunnel and run active/standby.

0 Helpful

simone-mantovani
Level 1
Level 1
In response to Rob Ingram

‎11-05-2024 03:43 AM

Hello Rob

sound interesting, at the moment we'll use static routing,is there a particular configuration to be implemented on ASA to have active- standby tunnels?

 

Thanks.

0 Helpful

Rob Ingram
VIP
VIP
In response to simone-mantovani

‎11-05-2024 03:46 AM

@simone-mantovani if you use static routes, you would need to use IP SLA to track something on the remote end of the VPN. You'd need to setup the other end to track something on the ASA side. It's more practical to use dynamic routing protocol over the VPN.

0 Helpful

Aref Alsouqi
VIP
VIP

‎11-05-2024 06:31 AM

Please take a look at this post of mine, it should give you what you need to track the tunnels and switch between them based on their status, and also preempt to the primary when it comes back.

ASA site-to-site VPN failover workaround | Blue Network Security

0 Helpful
Customers Also Viewed These Support Documents