Cisco VPN :: VPN Between ASA 5505 And Checkpoint
Dec 6, 2011
I have set up a VPN tunnel using pre-shared keys between my ASA5505 and a Checkpoint firewall (another company).
I can initiate the tunnel from my side, but they cannot open it from their side. We get Phase2 failures.
The other company is saying:
"Your ASA is expecting my CheckPoint to negotiate the phase 2 timeouts in both seconds and kilobytes. Enabling kilobyte timeouts is not something that is currently realistically feasible on my side, so I ask that you disable/turn off kilobyte timeouts on your side"
However, I do not have a kilobyte timeout specified in the security association for the tunnel, only a seconds.
Is there a hidden default setting I have to turn off? If so, how do I do this?
View 3 Replies
ADVERTISEMENT
Dec 10, 2011
I have 5 static public IP addresses at my disposal. A checkpoint firewall with VPN access provides remote access for mobile users. How would I go about integrating the ASA 5505 SSL VPN into this network so some mobile users could continue using the checkpoint VPN client while others could have SSL VPN remote access? Attached is a graphic of the network.
View 2 Replies
View Related
May 16, 2013
we are trying to configure the vpn with our provider we are on Asa and the use Checkpoint , vpn seem to be established on phase 1 and phase 2 too.bur when i send ping packets seem to los on tunnel and other side do not see them.Asa is after a onother firewall and outside interface of this asa is nated on this perimeter firewall.
View 5 Replies
View Related
Feb 17, 2011
I have a problem with a L2L VPN between ASA and Checkpoint R71 VPN I can ping it up to the network that is behind the checkpoint but they can not make me pin.
View 3 Replies
View Related
Jul 15, 2012
I am trying to get a simple IPSEC VPN between a Cisco 800 router and a CheckPoint firewall.The Phase 1 negotiation is working fine.
View 1 Replies
View Related
Sep 11, 2012
what's required for the migration from Checkpoint R75-20 Splat install to the Cisco ASA firewall, links to documentation - step-by-step.
View 3 Replies
View Related
Dec 11, 2011
I have an ASA running 8.4(2) code.
I have been trying to get a VPN tunnel established between this device and a Checkpoint R70 firewall, but have been getting nowehere.
The settings are:
Encap: ESP
Encryption: AES256
Hash: SHA1
DH: Group 2 (1024)
Authentication: pre-share
lifetime: 1440 min / 4096000 KB
I can open the tunnel from the ASA to the Checkpoint, but the Checkpoint cannot open a tunnel with the ASA. It looked like the issue originally was the KB timout which was turned off on the Checkpoint side. They have since added that (4096000), but we are getting Phase2 failures.
How to create a tunnel between an ASA running 8.4(2) and a Checkpoint R70?
I am beginning to think that I have incompatible systems Is it a PFS issue? If so, how do I enable that in the policy section?
View 1 Replies
View Related
May 3, 2012
I want the vpn device for about 320 users
View 2 Replies
View Related
Aug 5, 2012
how to configure ACS 5.2 for device administration of Checkpoint firewalls and security management servers?
View 4 Replies
View Related
Jun 10, 2013
We are setting up a vpn between a cisco RV082 and a checkpoint device. From the Cisco device we have set up (as remote IP) the public IP 85.xxx.xxx.xxx but when we try to start the tunnel the VPN log (from RV082) report the error "INVALID_ID_INFORMATION" as described below.
Jun 11 11:38:41 2013 VPN Log (g2gips1) #894: sending encrypted notification INVALID_ID_INFORMATION to 85.xxx.xxx.xxx:500
Jun 11 11:38:41 2013 VPN Log (g2gips1) #894: we require peer to have ID '85.xxx.xxx.xxx', but peer declares '10.yy.yy.yyy'
[code]....
The IP 10.yy.yy.yyy. reported in the log is the natted ip of the Checkpoint device.
View 3 Replies
View Related
Dec 18, 2012
I am working on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test.
View 1 Replies
View Related
Mar 14, 2011
Running EIGRP on network. Hub router connects to remote router via EIGRP and then I have 2 static routes getting traffic to the switch behind the checkpoint firewall(Edge-1 UTM). Some switches I can access while others I cannot.
View 1 Replies
View Related
Oct 28, 2011
I am trying to migrate checkpoint configs to ASA 5585 using SCT tool, this tool asking me to feed it *.W file from checkpoint which is suppose to be a rule definition file on CP, but I cant find it
View 14 Replies
View Related
May 28, 2013
i have configured vpn on asa 5505 and 881 router, as per below design,i am seeing the tunnel is built from cisco 881 router for few seconds and the its got delted. but nothing showing in asa.
View 1 Replies
View Related
May 24, 2012
I've been tasked with setting up an ASA 5505 on our ADSL modem & am very lost. I've put the PPPoE details into the ASA 5505 to authenticate with our ISP, but can't get out through it. I've looked at guides, videos, compared configs
This is the current config...
: Saved:ASA Version 8.2(5) !hostname asaenable password GuuH2OTIRWlZP8z3 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface
[Code]....
View 2 Replies
View Related
May 2, 2012
I am attempting to configure an ASA 5505 with SSL VPN. The users request is from anywhere, be able to web into the Cisco ASA. [URL]. At that point, we will require them to authenticate through Active Directory via ACS 5.2. The Cisco ASA 5505 is a 50 user ASA. We have also purchased the mobile license as well as a 10 user premium license. That was a bear in itself.
1. How do I configure the SSL setup to use a 3rd party certificate, such as a Comodo certificate?
2. How do I determine which version of AnyConnect I should use for this? We will support windows, macs, linux and smart phones as well as Tablets.
3. if you do a show version, you get all the capabilites of the ASA of which some are disabled or deactivated. Any chart that will show us, what needs to be purchased to activated each line entry on the ASA? Is there an all encompassing PAK?
View 1 Replies
View Related
Mar 13, 2011
we have a customer with three sites address ranges are 192.168.215.0/24 head office, 192.168.216.0/24 contract and 192.168.217.0/24 branch office.
The head office has a Cisco ASA 5505 device and the two remote sites have Zyxel P-661 devices. The end result I want here would be for a VPN from both remote sites to the head office this was working before but now the branch office is not now all the users are able to access resources in the head office without any problems but the users in the head office can not connect to resources in the branch office.
The Contract office has exactly the same set up and is working okay.I have spoken to Zyxel and they have told me they think the Zyxel set up is okay and that the problem is at the head office.Some of the testing we have done which is causing confusion has produced the following results:
-From the server in the head office we can ping the internal interface of the Cisco.
-From the server in the head office we cannot ping the external interface of the Cisco
-From the server in the head office we cannot ping the router beyond the firewall.
-From the server at head office I cannot tracert to any external resources.
I have just tried doing a Packet trace from the internal address to the address of the router and it has failed witht he following message: [code]
View 17 Replies
View Related
Feb 28, 2012
The current scenario is as follows:
ASA 5505 Site A connects to ASA 5505 Site B S2S VPN, both has static IP address.
Now I need to change from ISP so that I can get more internet bandwidth, but the new ISP only has dynamic IP address.
Now I need to change Site B's config to use dynamic IP and still connect to Site A and establish a S2S VPN.
How can I do this?I want the ASA 5505 to change its IP daily so that the VPN connection is still up even if the ISP at site B changes its IP. Or a way to do this automatically as I don't have anybody at site B that can do this manually for me.
View 8 Replies
View Related
Jan 6, 2013
We have a MPLS T1 installed at the main office. I just purchased ASA 5505 to configure site to site VPN connection. The ISP have VIP mapped with 1 block of public ip addresses.configure the asa 5505.
View 0 Replies
View Related
Jan 15, 2012
I am having trouble getting 1142 LAP to find the controller. We are running an ASA 5505 at our main campus where the 5508 is located. Each Of our distribution centers have a PIX501 and from there about 3-5 AP's each. The AP's that were primmed before instalation work great, however we need the ability to get the other ones that were already installed and not finding controller to work with out cycling them through main campus. I have opened up UDP ports 12222-12223 and 5246-5246 with no luck.
View 1 Replies
View Related
Feb 28, 2012
I have a remote ASA 5505 running 8.3(2) that establishes a site to site VPN to a central ASA 5520 running 8.4(2) immediately upon startup. Then within a random interval ranging from 5 seconds to an hour, the VPN loses the connection, and is not reconnected. Only a reload of the remote ASA will reestablish the VPN tunnel. Then everything is fine until the next disconnection. Both sides have matching lifetimes, and keep alives are enabled on both sides. The debug from the remote ASA is attached, showing what happens through several disconnect/reload sessions.
View 2 Replies
View Related
Dec 5, 2011
We have two sites connected by a gigaman line. Routing between the two sites is done with a couple of HP routers. We also have two separate Internet connections, one at each site, through different providers. The border firewall at one site is a Cisco 5505 and at the other site it is a Cisco 5510. If the gigaman line goes down, we would like to fail over to a site-to-site VPN. Any clue how to set this up? We can set up the site-to-site VPN. how to make it serve as a failover. Another question is whether the VPN will cause confusion when the gigaman is operational.
View 11 Replies
View Related
Nov 17, 2012
We have a Cisco 5505 firewall and working to setup VPN through the firewall, what Cisco vpn client should we download for our users to have the right client on their desktop/latops.
View 3 Replies
View Related
May 29, 2011
We have Cisco ASA 5505 and an internal user (behind NAT) needs to connect via VPN to an external company. I just cannot get this to work. I have enabled IPsec Pass Through from ASDM Configuration --> Firewall --> Service Policy Rules --> Edit Service Policy Rule --> Rule Actions --> tapped IPsec Pass Through I have tried to find some info from the log but all i get is this message: IP = [remote gateway ip] Invalid Packet Detected!"I cant find anything that is blocked from the log.
View 2 Replies
View Related
Feb 28, 2012
I have an L2L VPN setup between two ASA 5505's. I can communicate across the VPN from either site without an issue. I'd like to be able to grant RA VPN users access to both LAN's but I'm not certain how to proceed (or if it's possible). I have split tunneling setup, and I've added both LAN subnets in the ACL. When I connect to either ASA via RA VPN, I can ping any host on the local subnet behind that ASA. However, when I try to ping hosts on the other side of the L2L VPN, it fails. I'm not sure if I have an ACL setup wrong, or if it's simply not possible.
View 4 Replies
View Related
Oct 21, 2012
I'm not sure if this is a possible config, but I have an ASA that I need to be able to SSL VPN to, and get an IP Address that is on the same subnet as my internal interface. The reason is, the person connecting in has a utility that does a broadcast on the internal network to discover the devices he is trying to connect to. Therefore, connecting over VPN and getting put on a different subnet wont work. In this case, I am going to start the ASA configuration from scratch. If its possible to do the above, what are the correct commands to configure it? I was planning to use 10.50.0.1/24 for the internal interface, and then hand out IP Addresses on that subnet to both the lan, and the vpn, This is an ASA 5505. Its on IOS 8.4.
View 1 Replies
View Related
Dec 12, 2012
We have CISCO ASA 5505 in our office , right now port 0 has configured for outside and port 1 for inside (I believe it is the default configurations) now for security reason I want to separate the Network traffic from inside (office LAN) and WIFI , I believe since i have 6 ports in vlan1 (inside) if I make the port which has the connecting to our switch and the port which i m going to connect to my wireless router (same vlan1) protected / isolated then this should work , but here is what is happening , the minute I save the configurations port 3 which is supposed to be my wifi port will lose its connection to the Internet.
i tried to make another vlan for wifi to separate the trafic from vlan1 , but I m not getting internet connection on that port which is been assigned to new vlan for wifi.
View 5 Replies
View Related
Jun 26, 2011
I’ve set VPN up between two sites using Cisco ASA 5505 and Wizard. Unfortunately VPN works only one way From 8.2 (2) to 8.3 (1) and after spending one day trying to resolve the issue. Logs shows that ping leave ASA 8.3 but never hits ASA 8.2 – opposite way everything works perfectly. [code]
View 2 Replies
View Related
Feb 21, 2011
I configured site to site vpn between asa 5505, in one site it is static ip and the other side is dynamic ip.my issue is the the tunnel is automatically going off maybe 30 minutes time, if it is idle again if i initiate from dynamic side it ll comeup.and my setup is like this,in the static ip side i am having ADSL line , so i connected to the adsl router and the adsl local network is outside network of asa 5505.like dual nat is there in the vpn connection.
View 5 Replies
View Related
Apr 18, 2012
For some reason my ASA is preventing my traffic from going out. I've added some crumby access-list and applied it to NAT for it to work. I don't like this. I know it is not right, but I am not sure what part is wrong. I will highlight the stuff I have added to make it work. I don't see what I am missing. If I were to remove these lines my ASA could ping in both directions (in and out), but my LAN cannot do anything but ping the ASA. No other traffic is going out unless I have added these unsafe lines of code.
!
interface Vlan1
nameif inside
security-level 100
[Code].....
View 2 Replies
View Related
Aug 21, 2011
Any way to put a second vpn site-to-site as standby and if the primary come down this standby come to up.for exemplo, I have a ASA 5505 in my branch office I wish add two VPN site-to-site to my head office. one tunnel must be standby and other active. there is any way to reach this? the contingency can be by hand it's not necessary be automatic.
View 4 Replies
View Related
Feb 14, 2012
We have successfully connected the pix501 and asa 5505 firewallls using ipsec vpn.the firewalls and servers and beeing shutdown after office hours.the problem is everytime we turn on the firewalls, we need to do "ping" on vpn inorder to establish vpn connection with the two firewalls.After doing a ping command. The VPN connection between firewalls is established.we us vpdn to create a tunnel to the asa firewall.
View 3 Replies
View Related
Dec 6, 2011
I have cisco asa 5505 Base Line .. so i want to buy the license key to get more features . so what is the requirments and how i can buy .
View 1 Replies
View Related
