Will this work even I have two different vpn communities ? I only need to enable the vpn routing on each community ? What option to choose then ? To Center only? And what about the security rule ?

any insight regarding question 2 ?

Thank you!

I would say center only. As far as the rule, make sure its allowed based on the traffic flow. You may need 1 rule per each community.

Andy

Thanks for your reply. Could you please elaborate in more details on this ? How should the security rule(s) look like ? Is there any directional match involved ? Also, should the 3rd party gateway set the subnets behind the ASA as the encryption domain for Checkpoint ?

For route based VPN, you need to enable vpn directional match setting in global properties, I think its under vpn and then advanced (at the bottom), then in thr ule vpm culumn, you need 3 "entries", internal to vpn comm, vpn comm - vpn comm and then vpn comm to internal

As far as enc domain, think of it this way...regardless if we are talking about CP, PAN, Fortinet, Cisco, Sonic Wall, makes no difference...vpn domain will ALWAYS be whatever is local behind that fw, so for 3rd party, end domain is subnet thats behind that fw, unless if its route based, then most likely empty group

route based vpn -> vpn domain = empty group

domain based vpn -> vpn domain = local subnet

HTH

Andy

Thanks for your reply! but I think I misscomunicate this.

My actual need is to make routing between a domain based VPN and route based VPN through checkpoint.

Site A Cisco ASA --->Domain Based VPN--->Site B Checkpoint--->Route based VPN----> Site C Third party firewall

The configuration you specified is only for the route based VPN setup to make the tunnel work between SiteB and SiteC.

I need users in Site A communicate with networks behind Site C through Checkpoint. 

Thanks!

Sounds like you need to enable vpn routing on domain based community.

Andy

I have on last question sir. I am confused about what option to choose in vpn routing:

option 2 says: To center and to other satellites through center. Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

option 3 says: To center, or through the center to other satellites, to internet and other VPN targets. Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

So I think that option 3 is more suitable. What do you think ? and also to confirm this setting is needed on the domain based community only since we have traffic in one direction only (from A to C through B). I am I right ?

Thank you

1) You can call me Andy, Im not that old...well, 44 🙂

2) You did not bother me via email, its a free country, I can easily choose to ignore or delete your emails 🙂

and 

3) Yes, I would agree option you mentioned is best suitable.

Best,

Andy

Thanks Andy! appreciate it!

and also to confirm this setting is needed on the domain based community only since we have traffic in one direction only (from A to C through B). I am I right ?

Correct. As @emmap had indicated, think of it this way...route based VPN tunnels utilize routing via VTI, so say for example if you have unnumbered VTI of your external interface, that would send the traffic using that interface for the tunnel. Most vendors are now abandoning domain based vpn tunnels. I believe PAN does not even let you create them any longer, Fortinet does, but literally everyone uses route based ones. 

Best,

Andy

One additional question about this topic. If there is a static route to different next hop and also for this subnet if there is a domain based route exists, how does it work Routing? Which one has more priority?

I believe only PBR routes would take precedence over static route itself.

Best,

Andy

For example there is one subject 10.16.0.0/16 internally routed to another internal router and you are using 10.16.10.0/24 subset as encryption domain for site to site domain based VPN for 3.partner. In this case would firewall domain based vpn routing work or because of static route would it not work?

Technically, for vpn tunnel itself, you dont need to add routes manually, Now, if /16 is already there, that included range 10.16.0.1-10.16.255.254, so it should work.

Andy

Domain based VPN takes priority over route based.

@HighTech  can you provide feedback about ? is it Check Point able to route between domain-based-vpn and route-based-vpn ?
Thanks 

Assuming there is no conflict between the route and domain based VPN, yes. 

I dont believe you can do that.

Andy