- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.
I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !
quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain
Hi Marco,
I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).
I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !
Hi @G_W_Albrecht ,
What about on Scalable Platforms (Maestro). SMS is R80.40 and GW is R80.30SP.
I've tried to edit crypt.def file on Management and GW as well. But still no success.
Before I used to this SK and it works perfect and SMS, GW both were the same version..
Do you have any clue?
Three hints:
- The "crypt.def
" file has to be edited only on Security Management Server. The relevant code will be transferred to Security Gateway during policy installation. (sk98241)
- The "crypt.def
" file has to be edited in plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS). (sk98241)
- R80.30SP should be included when $FWDIR/lib/crypt.def is edited and the policy installed. (sk98241)
If all these have been followed i would contact TAC !
sk108600 Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces
Thanks a lot I'll take a look into this.
Did you try to exclude ssh in the vpn community? And then push policy?
Of course if you need to use ssh on Remote encryption domain, that might be a challange.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
12 | |
12 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY