Cisco Pix 6.3(5) to Checkpoint FW VPN

Discussion in 'Cisco' started by Darren Green, Feb 10, 2007.

  1. Darren Green

    Darren Green Guest

    Hi,

    I tried in vain yesterday to build a PIX site-to-site VPN to a 3rd Party who
    have a Checkpoint FW1.

    I believe I know the issue as the debug cry ipsec sa gave me a 'proxy
    identities not supported'. A quick google suggests this is a mismatched ACL,
    however, I only have 1 x entry in my crypto ACL on the PIX so I guess it's
    how the Checkpoint represents that same.

    The network:

    AS400-----PIX-------Checkpoint-----PC

    The PC behind the Checkpoint initiates the VPN. It uses a NAT address on the
    outside of the Checkpoint (not the Checkpoint peer IP). When attempting to
    connect to the AS400 it does so on a public translatable static address.So
    in my crypto ACL I have 1 x line for return traffic from the AS400 as
    follows:

    access-list blah host (static public IP of AS400) host (nat address of PC)
    etc.

    The crypto map is between the outside public IP's of the 2 x firewalls and
    references access-list blah. NB IPSEC Phase 1 completes OK.

    A colleague has suggested that the Checkpoint may 'tag on' another entry in
    it's equivalent crypto list, namely it's peer IP address to my static IP for
    the AS400. Originally I actually thought this was something to do with
    NAT-T - It isn't in the PIX config anywhere and I don't know if it is
    supported out of the box on the Checkpoint.

    Anyone seen anything like this before. Apparently it happens quite a lot
    between these 2. The Checkpoint people have told me they only have 1 x
    permit allowing their private hosts (10.2.X.X /16) to use the NAT. This is
    different to how the PIX does it as it is public to public.

    Regards

    Darren
     
    Darren Green, Feb 10, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. vuu-g6c
    Replies:
    0
    Views:
    728
    vuu-g6c
    Aug 17, 2004
  2. Replies:
    5
    Views:
    1,407
  3. Ned
    Replies:
    0
    Views:
    391
  4. Ned
    Replies:
    0
    Views:
    582
  5. Goggen

    VPN PIX-Checkpoint

    Goggen, Mar 25, 2008, in forum: Cisco
    Replies:
    1
    Views:
    419
    Walter Roberson
    Mar 25, 2008
Loading...

Share This Page