topic Check Point with Cisco ASA in General Topics

Check Point with Cisco ASA

Luisnego — Mon, 25 Jun 2018 12:02:02 GMT

Hello ,

I've trying create a VPN tunnel with ASA using CP R77.30, but think something is wrong because the other side cannot connect the internal network, they told me that has the same internal network. We could simulate the traffic , like CISCO ASA has Packtet Tracer. I used tcpdump and looked the logs in SmartView Tracker

Tracker:

Record Details

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: host: 200.xxx.xxx.60( peer CP) and host: 10.xxx.1x.29

tcpdump:

tcpdump -ni eth1 src (PEER-ASA)

IP Peer CP.500 > PEER ASA.500 isakmp: phase 1 I ident

IP Peer CP.500 > PEER ASA.500 isakmp: phase2/others I oakley-quick[E]

Re: Check Point with Cisco ASA

Maarten_Sjouw — Mon, 25 Jun 2018 21:09:13 GMT

You say: "they told me that has the same internal network."

It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.

First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.

When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.

So there are a lot of possible answers here.

Re: Check Point with Cisco ASA

Luisnego — Tue, 26 Jun 2018 12:37:26 GMT

Maarten Sjouw‌ Thanks, I can fix, I had overlap in my network. Thanks for your help.