- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello ,
I've trying create a VPN tunnel with ASA using CP R77.30, but think something is wrong because the other side cannot connect the internal network, they told me that has the same internal network. We could simulate the traffic , like CISCO ASA has Packtet Tracer. I used tcpdump and looked the logs in SmartView Tracker
Tracker:
Record Details
|
tcpdump:
tcpdump -ni eth1 src (PEER-ASA)
IP Peer CP.500 > PEER ASA.500 isakmp: phase 1 I ident
IP Peer CP.500 > PEER ASA.500 isakmp: phase2/others I oakley-quick[E]
You say: "they told me that has the same internal network."
It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.
First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.
When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.
So there are a lot of possible answers here.
You say: "they told me that has the same internal network."
It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.
First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.
When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.
So there are a lot of possible answers here.
Maarten Sjouw Thanks, I can fix, I had overlap in my network. Thanks for your help.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY