VPN Problem

[jimytri]

Hi All,

I got an issue on the VPN between CP and PIX.
CP to PIX (share secret)
CP inside network 172.25.1.0/24
CP outside network 202.202.1.0/30
CP with SPLAT R60

PIX inside network 192.168.10.0/24
PIX outside network 202.202.1.0/30
PIX Version 6.3

VPN setup fine, I could check the IPsec and ISAKMP status in PIX. from PIX inside network could ping CP inside network, and also can browse the CP inside web server.

But from the CP side, CP inside network could not ping PIX inside network. Below it's the PIX configure:

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 101 permit ip 192.168.10.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list 101 permit ip 172.25.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list nonat permit ip 172.25.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 102 permit icmp any any
access-list 102 permit tcp any host 202.202.1.2 eq www
access-list 102 permit ip any any
access-list 102 permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 202.202.1.2 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 202.202.1.2 www 192.168.10.2 www netmask 255.255.255
.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 202.202.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
crypto map rtprules 10 ipsec-isakmp
crypto map rtprules 10 match address 101
crypto map rtprules 10 set peer 202.202.1.1
crypto map rtprules 10 set transform-set rtptac
crypto map rtprules interface outside
isakmp enable outside
isakmp key ******** address 202.202.1.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

[Lackie]

Check out resolution sk16536. This usually solves problems between CP and Cisco.

[jimytri]

How to check resolution sk16536?

[Lackie]

If you have access to Check Point's knowledge base, you can just do a search on that resolution number.

[ddarby1]

Can you definitely see the PIX dropping the icmp packets?

You'll be able to see them being dropped by enabling logging (from a console connection):

logging on
logging console debugging

I'm sure you realise there's a few redundant lines in the config as well:

access-list 101 permit ip 172.25.1.0 255.255.255.0 192.168.10.0 255.255.255.0

isn't required because the '101' list is being used to tell the PIX which packets to encrypt (from it's inside 192.168.10.x network). Packets from the 172.25.1.x network are what you want the PIX to decrypt.

Likewise the same line isn't required in the 'nonat' access-list

access-list nonat permit ip 172.25.1.0 255.255.255.0 192.168.10.0 255.255.255.0

You don't need to tell the PIX not to NAT packets from 172.25.1.0/24 on its inside interface, since there shouldn't be any.

Also a couple of redundant bits in access-list 102 (if you 'permit ip any any 'there's no need to have another 'permit tcp any any' line, etc.)

Don't think that'll give you the answer but should help tidy things up.

[jimytri]

Hi Ddarby1,

Thank you for your reply!

I know these 2 lines no use. Because it doesn't work, so I add these 2 line on the PIX.

I use debug crypto ipsec, debug crypto isakmp, debug crypto engine. I cannot see it drop packet from the PIX, it seen the checkpoint didn't send the packet to the PIX.

How the check the VPN log in the Checkpoint. Use Smartview?

Jim

[ddarby1]

Spotted another minor error:

You've listed the masks as /30 but on the PIX the outside address is 202.202.1.2 255.255.255.248. This is a 29 bit mask.

Regarding your question, yes, SmartView is a good place to start. Make sure you have the 'Track' option on the rule in question set to 'log' in SmartDashboard and install the policy.

Look under VPN in the predefined queries (left-hand pane), but also 'All Records' (the default view) as it may be an access problem rather than VPN.

Also, on the PIX, 'logging console debugging' may be more useful than the debug VPN commands you mentioned, since it sounds like the VPN is being established properly.

[jimytri]

Hi Ddarby1,

I fix the problem by update latest HFA in the checkpoint box. It seem the NGX have the problem with the other vendor firewall. Checkpoint suggest update the latest HFA in NGX box.

I also got another question in CP to CP. In PIX, you must add the nonat access-list for the LAN. But in CP to CP, it seem don't need to add this nonat rule in address translation.

Do you know why?

Jim

[ddarby1]

Jim,

Interesting, I tried your config on a Nokia platform w/ Check Point NGX (no hotfix) and PIX 6.3(5) and just could not get it to work properly.

As regards the NAT behaviour, this might date all the way back to the fact that the PIX started off life as NAT device only (PIX = Packet Internet Exchange) and not a router type device.

PIX 6.x requires NAT statements to be in place before traffic is allowed to traverse its interfaces. Therefore the 'NAT 0' comand is used to exempt the specifed traffic from network address translation (usually for VPN's).

Check Point is more flexible. It' a software product used to control routing and harden routed platforms. Therefore it doesn't NAT until you add specific rules in the Address Translation Tab, etc.

Happy to be corrected on any of this.

P.S. I believe the NAT behaviour has changed to route via default n PIX 7.x

I don't suppose you're willing to share the Hotfix, I don't have a Check Point s/ware subscription?

[ddarby1]

Forget the request for the hotfix, I've just got my access.

Regards

[Sergej]

Do you using this article for the reference? http://www.cisco.com/en/US/tech/tk58...800ef796.shtml

logging on , logging console debugging is a good idea also. This will show absolutely all diagnostics lessages on PIX. Look for counters on crypto SA and Access-Lists.