Cisco VPN :: ASA Running 8.4(2) To Checkpoint R70 Tunnel
Dec 11, 2011
I have an ASA running 8.4(2) code.
I have been trying to get a VPN tunnel established between this device and a Checkpoint R70 firewall, but have been getting nowehere.
The settings are:
Encap: ESP
Encryption: AES256
Hash: SHA1
DH: Group 2 (1024)
Authentication: pre-share
lifetime: 1440 min / 4096000 KB
I can open the tunnel from the ASA to the Checkpoint, but the Checkpoint cannot open a tunnel with the ASA. It looked like the issue originally was the KB timout which was turned off on the Checkpoint side. They have since added that (4096000), but we are getting Phase2 failures.
How to create a tunnel between an ASA running 8.4(2) and a Checkpoint R70?
I am beginning to think that I have incompatible systems Is it a PFS issue? If so, how do I enable that in the policy section?
View 1 Replies
ADVERTISEMENT
Mar 12, 2013
I'm experiencing a failure on headend 3945 routers with VPN tunnels to remote 2901 routers. Essentially, a tunnel a a 3945 will go down/down although the tunnel on the remote router indicates it is up/up. It happens intermittently and I am not seeing anything in the logs, other than the tunnel goes down. This seems so much like an IOS bug, but I can't find anything specific in caveats on this version of code.
View 12 Replies
View Related
Aug 7, 2011
We have ASA 5540. We setup Site-to-Site VPN and Remote Access VPN (Cisco VPN client). If are running full tunnel on the Cisco VPN client, the internet access is slow. For example, when we are running full-tunnel, the internet speed is 16 Mbps based on Speedtest.net. When we go to Speedtest.net, some of the graphics do not load. If we are running Split-tunnel, the internet access speed is 78 Mbps based on Speedtest.net and the Speedtest.net web site loads all the graphics.
View 6 Replies
View Related
May 16, 2013
we are trying to configure the vpn with our provider we are on Asa and the use Checkpoint , vpn seem to be established on phase 1 and phase 2 too.bur when i send ping packets seem to los on tunnel and other side do not see them.Asa is after a onother firewall and outside interface of this asa is nated on this perimeter firewall.
View 5 Replies
View Related
Dec 6, 2011
I have set up a VPN tunnel using pre-shared keys between my ASA5505 and a Checkpoint firewall (another company).
I can initiate the tunnel from my side, but they cannot open it from their side. We get Phase2 failures.
The other company is saying:
"Your ASA is expecting my CheckPoint to negotiate the phase 2 timeouts in both seconds and kilobytes. Enabling kilobyte timeouts is not something that is currently realistically feasible on my side, so I ask that you disable/turn off kilobyte timeouts on your side"
However, I do not have a kilobyte timeout specified in the security association for the tunnel, only a seconds.
Is there a hidden default setting I have to turn off? If so, how do I do this?
View 3 Replies
View Related
Feb 17, 2011
I have a problem with a L2L VPN between ASA and Checkpoint R71 VPN I can ping it up to the network that is behind the checkpoint but they can not make me pin.
View 3 Replies
View Related
Jul 15, 2012
I am trying to get a simple IPSEC VPN between a Cisco 800 router and a CheckPoint firewall.The Phase 1 negotiation is working fine.
View 1 Replies
View Related
Dec 10, 2011
I have 5 static public IP addresses at my disposal. A checkpoint firewall with VPN access provides remote access for mobile users. How would I go about integrating the ASA 5505 SSL VPN into this network so some mobile users could continue using the checkpoint VPN client while others could have SSL VPN remote access? Attached is a graphic of the network.
View 2 Replies
View Related
Sep 11, 2012
what's required for the migration from Checkpoint R75-20 Splat install to the Cisco ASA firewall, links to documentation - step-by-step.
View 3 Replies
View Related
May 3, 2012
I want the vpn device for about 320 users
View 2 Replies
View Related
Aug 5, 2012
how to configure ACS 5.2 for device administration of Checkpoint firewalls and security management servers?
View 4 Replies
View Related
Jun 10, 2013
We are setting up a vpn between a cisco RV082 and a checkpoint device. From the Cisco device we have set up (as remote IP) the public IP 85.xxx.xxx.xxx but when we try to start the tunnel the VPN log (from RV082) report the error "INVALID_ID_INFORMATION" as described below.
Jun 11 11:38:41 2013 VPN Log (g2gips1) #894: sending encrypted notification INVALID_ID_INFORMATION to 85.xxx.xxx.xxx:500
Jun 11 11:38:41 2013 VPN Log (g2gips1) #894: we require peer to have ID '85.xxx.xxx.xxx', but peer declares '10.yy.yy.yyy'
[code]....
The IP 10.yy.yy.yyy. reported in the log is the natted ip of the Checkpoint device.
View 3 Replies
View Related
Dec 18, 2012
I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
View 1 Replies
View Related
Mar 14, 2011
Running EIGRP on network. Hub router connects to remote router via EIGRP and then I have 2 static routes getting traffic to the switch behind the checkpoint firewall(Edge-1 UTM). Some switches I can access while others I cannot.
View 1 Replies
View Related
Oct 28, 2011
I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
View 14 Replies
View Related
Jun 11, 2013
I have 30 switched in my corporate network it’s all up and running all switches running by default configuration and connected to WS-C4506 core switch our dhcp server pooling 192.168.100.1/27 network. Now we need to configure new Vlan for finance department this department has more than 200 users. If my server distributes 192.168.200.0 range ip can vlan2 automatically assign ip 200.0 addresses to finance department.All switches running default config no ip address assigned.
View 9 Replies
View Related
May 7, 2013
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
View 3 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Apr 19, 2011
I'm not sure how to tell if I'm running ssh version 1 or ssh version 2, or both.I thought a show run would show a line like, "ip ssh version 2" or "no ip ssh version 1", but I don't see these anywhere.
View 4 Replies
View Related
Jan 21, 2013
connecting PRI to BRI interface on ISDN. I have all this information provided by the TELCO and i have configured it but due to some reason i am not able to connect them. I have given the questions with answers provided by the TELCO. I am also providing the running configuration of the PRI interface and also the error message i am getting when trying to test call itself.
1. Is the PBX designed for Pre-National or NI-2 protocol? -
Protocol using C7MATL
2. Are there any DID station numbers that your CPE cannot accept? -
No
(i.e. 0 or 9 in the 4th position)
3. Which carriers will be your choices for your PIC and LPIC? -
Carrier using DChannel
[code]....
View 2 Replies
View Related
Apr 25, 2013
I am running LMS 4.1on a VM, it runs very slow, what specs my vm should be running to support this application?
View 2 Replies
View Related
Mar 5, 2013
I can't seem to get my DIR-655 up and running again.I had a DLINK DIR-655 hooked up via RJ-45 cable(s) to my AT&T U-Verse 3800HGV-B Gateway. The DIR-655 was serving as a wireless connection for my laptops and also as a wired networked all-in-one printer that was plugged into it.The Ethernet (RJ-45 cable) traveled from the gateway, through a 4-port switch, and then to the Internet (WAN) jack on the back of the DIR-655.There's a couple of wire- connected computers connected via that switch in between that's why it's there. At the DIR-655 end I had an HP Photo Premium AIO printer (Model: 309A) connected by wire; and of course, the two laptops would connect via that unit too. The laptops are WinXP and Win7.Everything worked fine... BUT, the upstairs iMac and a downstairs home office XP machine couldn't see the networked printer for some reason. That reason (apparently) is that the DIR-655 is part of a "separate network" or something.Well, long story short - I tried to adjust the settings on the DIR-655 but that didn't work and then I tried to go back, but that didn't work. So then I decided to just start from scratch to re-setup the whole thing but NOW I can't even access the router via a browser at url...
View 14 Replies
View Related
Jan 18, 2013
Platform: LMS 3.2.1 with RME 4.3.2 on Windows 2003.I'm having a problem with several devices that were backing up fine until this week - suddenly they aren't backing up their running configurations, but RME is fetching their startup configurations fine and VTP backups are fine. At first I thought it might be timeouts, so I used inline edit to incease the telnet timeout for a device to 180s. However, the job fails well within this time period (debug shows on i/o error?). My order of protocols is SSH, Telnet, TFTP. I took a stab in the dark that this suggested a database problem so I picked one at random and deleted it from DCR, and readded it and it worked. However, for the other 48 devices affected it did not.
I'm wondering if I need to do anything to the RME database to get things back to where they were? Do I need to reinitialize the RME database, and if I do that what do I lose? [code]
View 2 Replies
View Related
Feb 5, 2013
we have two ACS 5.0.4.46.1 and since a few weeks, it reports the following error:
I stopped and restarted ACS, reconfigured the repository, reconfigured the backup and so on. I even rebooted the ACS but it sill has this problem. I can see "Please contact TAC..." but I first wanted to ask the community.
View 7 Replies
View Related
May 12, 2010
I hardly try to get WDS running with two WRVS4400N v2.The manual (and the web interface) says: "Note: The WDS feature allows WRVS4400N to connect with up to 3 wireless repeaters that can be either WRVS4400N or WAP200." But I wasn't successful by now in getting it working..What I've done so far:
- Setup the primary WRVS as Gateway, WAN through Modem, LAN and WLAN using WPA2 Personal Mixed, DHCP
- works perfect
- Setup the second WRVS as Router using the same WLAN settings, no WAN and no DHCP
- Enabling WDS on both WRVS, giving each the MAC address of the other
- no connection to LAN or WAN through the second WRVS
I really need the second WRVS act like a bridge. Since the manual is saying that I can connect both devices through WDS I bought two of them. On the other hand I've now read somewhere in the community, that this isn't possible with two WRVS (?)
View 6 Replies
View Related
Sep 23, 2012
I have a particular site that is causing me trouble, this site is connected in a back to back configuration using 2811 at CO and 2621XM at CPE. The CO end is also the CO for 3 other sites so has a total of 4 wics installed (WIC-1SHDSL-v2), these other sites also have 2621XMs for the CPE.
The problem i am getting is when one site in particular transfers large files to/from client machines, the CPU on the 2811 jumps to 99%:
CPU utilization for five seconds: 99%/98%; one minute: 26%;
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
11 12881868 37249378 345 0.49% 0.50% 0.51% 0 ARP Input
54 8548592 30375358 281 0.40% 0.45% 0.41% 0 XDSL BACKGROUND
[Code]......
View 2 Replies
View Related
Jul 16, 2012
we have a situation that we need to run ASA as a router. we have two sites connected via a private p2p link, we also have ASA5520 in each site and we have L2L IPsec tunnel over Internet, we want to failover to IPsec over Internet pipe in case p2p link fails. With BFD/OSPF this design works at L3 level. But we have problem to keep existing TCP connections when failover happens, the reason is, I believe, when ASA sees a new connection coming in without seeing SYNC flag in the packet, it will not create a connection entry and drop the packet unless a new connection is initiated from either side. So my question is, is there anyway I can configure ASA to behave more like a L3 device, ideally to turn off L4 checking for IPsec traffic?
View 4 Replies
View Related
Jan 17, 2011
I have installed WCS 7.0 now i have installed Navigator on WCS server.Installation is completed.but when I check the status of WCS, it says "healthmonitor running with errors"any one knows what could be the problem and how much will that effect on WCS performance?
View 6 Replies
View Related
Aug 28, 2012
I have an existing 1800 router that is using NAT and VPN to HQ. I now have a new ISP provider and so now i need to chane the Fastethernet1 IP address. I know how to do that but what else do I need to change to make everything continue to work?
View 10 Replies
View Related
