Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Checkpoint to Cisco - Hardware VPN works, software d oesn't

From: Dean Davis <Dean.Davis () mbg-inc com>
Date: Fri, 19 Dec 2003 11:44:57 -0500
Hi Tyler:

Is the Checkpoint performing NAT on the software VPN's internal IP address?
If so, does that translation equate to the IP address that your Concentrator
has configured as a VPN Peer? Even though the servers and the software VPN
client are on disparate subnets, they could all ultimately get translated by
NAT as a common IP address.

Perhaps NAT is the problem. If so, you'll need to publish the software VPN
client as a different routable IP address to avoid the confusion. I had a
similar situation.

Thanks,
Dean Davis, MCSE,MCDBA,CCNA,CNA,N+,Linux+
Chief Instructor
LinuxGenius, LLC.
www.linuxcbt.net

-----Original Message-----
From: Northrup, Tyler [mailto:tnorthru () usd edu] 
Sent: Friday, December 12, 2003 9:13 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Checkpoint to Cisco - Hardware VPN works, software doesn't


I have a Checkpoint NG FP3 at one site and a Cisco 3030 concentrator at the
other.  There is a hardware-based ipsec tunnel between the checkpoint and
concentrator with network lists allowing 5 systems to communicate between
the networks (see below).  This tunnel works fine.

Server1 - |
Server2 - - - CHECKPOINT <> CONCENTRATOR - - - Server1
Server3 - |             |                              | - Server2
                        |
                        |
                        |
                software vpn

However, since configuring this tunnel, I have not been able to initiate
software vpn connections from behind the checkpoint to the concentrator
(worked previously).   These connections originate on separate network off
the checkpoint to the cisco concentrator.  It worked fine prior to
implementation of the IPSEC tunnel.  I know the traffic gets to the
checkpoint, but it either does not leave, or it leaves via the tunnel (which
it should not as these systems are not part of the network lists / rules)
and gets dropped.

I adminster the concentrator, but do not directly support the Checkpoint.
Any direction would be appreciated as I am working with the other
administrator to solve the issue.

Thanks,

Tyler Northrup
IT Security Officer
The University of South Dakota
605-677-5019 
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: