This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Help
Luisnego
Luisnego
Nickel
‎2018-06-25 05:02 AM

Check Point with Cisco ASA

Jump to solution

Hello , 

I've trying create a VPN tunnel with ASA using CP R77.30, but think something is wrong because the other side cannot connect the internal network, they told me that has the same internal network. We could simulate the traffic , like CISCO ASA has Packtet Tracer. I used tcpdump and looked the logs in SmartView Tracker

Tracker:

Record Details

IKE: Quick Mode completion [UDP (IPv4)].
IKE IDs: host: 200.xxx.xxx.60( peer CP) and host: 10.xxx.1x.29

tcpdump:

tcpdump -ni eth1 src  (PEER-ASA)

IP Peer CP.500 > PEER ASA.500 isakmp: phase 1 I ident

IP Peer CP.500 > PEER ASA.500 isakmp: phase2/others I oakley-quick[E]

Reply
1 Solution

Accepted Solutions
Maarten_Sjouw
Maarten_Sjouw
Opal
‎2018-06-25 02:09 PM

Re: Check Point with Cisco ASA

Jump to solution

You say: "they told me that has the same internal network."

It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.

First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.

When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.

So there are a lot of possible answers here.

Regards, Maarten
Reply
2 Replies
Maarten_Sjouw
Maarten_Sjouw
Opal
‎2018-06-25 02:09 PM

Re: Check Point with Cisco ASA

Jump to solution

You say: "they told me that has the same internal network."

It does not matter what hardware the other end is, but you cannot have communication over a normal VPN when you have the same network on both sides.

First point is to make sure you have a different network defined on each side of the VPN, either by changing the IP range on one side or by using source NAT on both ends.

When it is a different network, but just a chunk out of the range used at one end, ie local network is a 10.200/16 network and the other side is 10.200.200/24 you could use a exclusion group on the Check Point side.

So there are a lot of possible answers here.

Regards, Maarten
Reply
Luisnego
Luisnego
Nickel
‎2018-06-26 05:37 AM

Re: Check Point with Cisco ASA

Jump to solution

Maarten Sjouw‌ Thanks, I can fix, I had overlap in my network. Thanks for your help.

0 Kudos
Reply