This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luisnego
Contributor
‎2018-06-25 05:02 AM

Check Point with Cisco ASA

Jump to solution

Hello , 

I've trying create a VPN tunnel with ASA using CP R77.30, but think something is wrong because the other side cannot connect the internal network, they told me that has the same internal network. We could simulate the traffic , like CISCO ASA has Packtet Tracer. I used tcpdump and looked the logs in SmartView Tracker

Tracker:

Record Details

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: host: 200.xxx.xxx.60( peer CP) and host: 10.xxx.1x.29

tcpdump:

tcpdump -ni eth1 src  (PEER-ASA)

IP Peer CP.500 > PEER ASA.500 isakmp: phase 1 I ident

IP Peer CP.500 > PEER ASA.500 isakmp: phase2/others I oakley-quick[E]

1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2018-06-25 02:09 PM

Jump to solution

You say: "they told me that has the same internal network."

It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.

First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.

When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.

So there are a lot of possible answers here.

Regards, Maarten

View solution in original post

2 Replies
Maarten_Sjouw
Champion
Champion
‎2018-06-25 02:09 PM

Jump to solution

You say: "they told me that has the same internal network."

It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.

First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.

When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.

So there are a lot of possible answers here.

Regards, Maarten
Luisnego
Contributor
‎2018-06-26 05:37 AM
In response to Maarten_Sjouw

Jump to solution

Maarten Sjouw‌ Thanks, I can fix, I had overlap in my network. Thanks for your help.

0 Kudos
Labels