CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Site2Site between 2 Cisco ASA

  1. #1
    Join Date
    2016-04-06
    Location
    Germany
    Posts
    53
    Rep Power
    3

    Default Site2Site between 2 Cisco ASA

    Hi everyone,

    I am doing some learning Labs an I have a question to a special szenario. Maybe it is easy, but I am not able to get the solution.

    This is my Lab environment:

    Click image for larger version. 

Name:	000205-2018-03-29-test.pptx - PowerPoint.jpg 
Views:	18 
Size:	50.0 KB 
ID:	1381


    - HQ is a Checkpoint R77.30
    - Site A is a Cisco ASA
    - Site B is a Cisco ASA

    Now here is my question:

    The Tunnels are working fine, only traffic between SITE-A and SITE-B is not working.

    How I said, maybe it is an easy solution, but I donīt get the point...

  2. #2
    Join Date
    2007-06-04
    Posts
    3,267
    Rep Power
    15

    Default Re: Site2Site between 2 Cisco ASA

    What you need to do at the Check Point side is

    1.) Make sure is a Single Star Community that has the Cisco as Satellites
    2.) Set the VPN Routing in the Community so that Satellites can communicate
    3.) Make sure that have rules on the Check Point allowing SiteA networks to SiteB
    4.) Make sure that the Cisco Configured to send traffic for remote site via the Check Point

  3. #3
    Join Date
    2016-04-06
    Location
    Germany
    Posts
    53
    Rep Power
    3

    Default Re: Site2Site between 2 Cisco ASA

    Ok,

    thank you for your comment.

    Actually I made 2 Star Communities, for every ASA one Star Community.

    I will change this and try again. So Checkpoint devides 2 Star Communities strictly from each other. (It makes totally sense ;-) )

    Unfortunately I donīt get the point with the routing from A to B over the HQ.

    I know that I need a static route, but what destination (next hop) should I put into the route?

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    171
    Rep Power
    12

    Default Re: Site2Site between 2 Cisco ASA

    Quote Originally Posted by Dom2201 View Post
    Ok,

    thank you for your comment.

    Actually I made 2 Star Communities, for every ASA one Star Community.

    I will change this and try again. So Checkpoint devides 2 Star Communities strictly from each other. (It makes totally sense ;-) )

    Unfortunately I donīt get the point with the routing from A to B over the HQ.

    I know that I need a static route, but what destination (next hop) should I put into the route?
    "VPN Routing" is a section of the VPN community configuration which lets you specify that the center gateways should forward traffic with a source behind one satellite and a destination behind another satellite in the same community.

    In terms of actual routing on the ASAs, you should probably just use your default route to send it out to the Internet. Ultimately, what gateway you specify for the route shouldn't matter, since the only goal is to get it going out the right interface. The packet shouldn't be clocked out in the clear, so the gateway address of the route should never be used.

    The crypto maps on each ASA will need to be modified to include the networks behind the other ASA so as to trigger encryption. Once encrypted, the packet's destination IP will be the center Check Point gateway, so Internet routing should take over from there.

    When the Check Point gateway receives the encrypted packet, it will verify it using the HMAC, decrypt it, then check to see if the source and destination are allowed to talk to each other in a VPN. This involves checking the encryption domains of the objects it has for the ASAs and checking the VPN Routing setting in the community, as described above. If they are allowed to talk, the Check Point gateway will then re-encrypt it to the second ASA.

    Things get a little more complicated if you want to use route-based VPNs (with a tunnel interface), but not enormously so.
    Zimmie

Similar Threads

  1. Site2site between R75.30 and R71
    By morozov.dm in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2012-11-26, 02:50
  2. Site2site VPN with UTM-1
    By jofav in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2012-03-13, 14:07
  3. Probleme Site2Site VPN
    By 21eddie in forum German
    Replies: 4
    Last Post: 2008-12-07, 22:24
  4. VPN-1 Site2Site to Cisco 1841
    By Chura in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2007-08-06, 16:19
  5. fw1/vpn1 v4.1.2 SP3 site2site with netscreen
    By nissim in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-04-05, 07:28

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •