Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
3
Replies

VPN between IOS and Checkpoint FW1

somanabich
Level 1
Level 1

‎10-17-2004 10:02 PM - edited ‎02-21-2020 01:24 PM

I currently have a VPN setup with my IOS 3745 router and a FW-1 box of a business partner.

When I try to create an access list (for which traffic should be encrypted) that has a 32 bit subnet mask, ie I only want my hosts to send encrypted packets to a particlular host and not the whole destination subnet, the FW-1 box throws an error 'No Porposal chosen'. When I change my subnet mask back to 24 bit all works OK.

Can I get the administrator of the FW-1 box to make changes so that only traffic from my network to 1 particular host gets encrypted?

Any ideas?

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎10-18-2004 12:20 AM

Hello

The interesting traffic at both the ends (router & checkpoint) should match. You can configure traffic to go a a particular host, but the same has to be be configured on the checkpoint..

in PIX configure this access-list for interesting traffic:

access-list 110 permit ip 192.168.0.0 0.0.0.255 (ur network) host 10.1.1.1 (remote host)

On the checkpoint, configure the local/remote networks appropriately.. Select Manage->network objects -> New (or edit) -> network and specify the internet network as 10.1.1.1 netmask 255.255.255.255.

check the following URL for configuration examples..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ac4.shtml#config

0 Helpful

somanabich
Level 1
Level 1
In response to sachinraja

‎10-20-2004 10:26 PM

How I can stop some traffic, for instance e-mail from my netowrk from being encrypted, ie I would like all other traffic not destined for a particular host to not be encrypted.

Could I do this with 'deny' in my access-list?

Thanks for your assiatnce.

0 Helpful

sachinraja
Level 9
Level 9
In response to somanabich

‎10-20-2004 11:50 PM

Hello.

The encryption is going to happen only for the traffic matching the access-list (interesting traffic). Any other traffic not matching the access-list will not be encrypted. You will define an extended access-list , specifying the source, destination, port etc for this.

If you want to deny encryption for a particular host which is on the same region as the interesting traffic, you can deny the same on the interesting traffic access-list and then permit the others...

example:

access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

In the above example, packets only from source 10.x to 192.x is encrypted. any other traffic is not encrypted. you can change this if you want to deny any traffic between 10.x & 192.x not to be encrypted..

hope you got it !!

0 Helpful
Customers Also Viewed These Support Documents