Firewall Wizards mailing list archives

RE: Cisco 506E and CP NG VPN Problems

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 11 Aug 2003 09:49:22 -0400

I don't believe that the problem is with the PIX configuration.  More likely, the Check Point firewall has a rule for 
the VPN tunnel that looks something like this:

SRC             DST             IF VIA  SERVICE ACTION
[your_net]      [his_net]       [vpn_comm]      * Any           accept

The Check Point firewall needs another rule that switches the source and destination objects.  For him to be able to 
initiate a VPN tunnel to your PIX, his firewall needs to have a rule where his network is the source and yours is the 
destination that is "IF VIA" the same VPN extranet community as the existing rule.  For example:

SRC             DST             IF VIA  SERVICE ACTION
[his_net]       [your_net]      [vpn_comm]      * Any           accept

Hope that helps!

PaulM

 -----Original Message-----
We have a CISCO 506E to raise a VPN to our customer Cehckpoint NG FW,
but after severa hours of inactivity if our customer try to conect to
our server through the VPN he cant see our server, but if we ping to his
workstation from our server we can see hiw workstation, after that he
also can se our server an works normally....until he disconect for
several hours.

any idea ?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco 506E and CP NG VPN Problems Jorge Valenzuela S. (Aug 07)
- Re: Cisco 506E and CP NG VPN Problems Dave Rinker (Aug 10)
- <Possible follow-ups>
- RE: Cisco 506E and CP NG VPN Problems Melson, Paul (Aug 13)