Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
carl_t
Contributor

VPN issue between Cisco ASA and Checkpoint

Hi Guys

We have an issue creating a vpn between Checkpoint  and Cisco ASA.

Each time we create a supernet as the domain, 172.16.0.0/12, and the user tries to connect to 172.30.1.1 for example, on the ASA we see a tunnel for 172.16.0.0 and 172.30.0.0 and the traffic never makes it.

The setting on Checkpoint vpn community is set to vpn per subnet pair.

I have checked gui dbedit and the setting ike_enable_supernet is enabled under global properties and also ike_use_largest possible subnets is also set to true.

What do we need to do to get the gateway to use the supernet? how do I check the setting is true on the gateway?

cheers

0 Kudos
4 Replies
RS_Daniel
Advisor

Hello,

When you say "Each time we create a supernet as the domain" do you mean adding that supernet to your local encryption domain (checkpoint)? or in the remote encryption domain (ASA)?

"and the user tries to connect to 172.30.1.1" where is the user? behind checkpoint or behind ASA?

"on the ASA we see a tunnel for 172.16.0.0 and 172.30.0.0" does ASA receive these ID's from checkpoint? or ASA send those ID's to checkpoint?

Easy answer would be sk108600 scenario 1, edit the user.def file to send your local encryption domain to the ASA peer as you need. If that is not the case more details are needed to understand your enviroment.

Regards

0 Kudos
Abi
Participant

Which the version do you have on your Gateway ?

 

0 Kudos
carl_t
Contributor

R81.10

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Better open a SR# with CP TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events