Doesn't that give users behind the Cisco access to networks behind the
FW-1 that you may not want to be accessible?
Chris
-----Original Message-----
From: Leonardo Boulton [mailto:lboulton AT CYBERTECHPROJECTS DOT COM]
Sent: Friday, May 30, 2003 2:02 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Query: VPN between CP NG FP3 and Cisco 3000
concentrator
I meant that at both end points, the encryption domains should be
exactly the same. It is possible for you to have the encryption domain
in your Check Point Gateway defined as a group of networks. In such a
case, you must do so in the Cisco Concentrator: all of the networks!.
In my case I had many VPN tunnels in a Check Point firewall, so the
encryption domain was constituted by three networks. The Cisco
Concentrator only needed to access one of the networks. Originally, I
set only that network as the Check Point encryption Domain in the Cisco,
and The VPN didn't work. Then I tried configuring the three networks in
the Concentrator, and it worked that way.
On Thu, 2003-05-29 at 21:53, Mohan Mysore wrote:
> Leonardo
> Thanks for ur mail. The config we have is 10.88.0.0/24{Local
> Encryption domain} and 10.20.0.0/24 {Remote encryption
> domain} Not sure what you mean by
> I also found problems with the source and destination objects that you
> place on the rules of the Check Point Gateway.
>
>
> Thanks
> Mohan Mysore
> Insure IT Services
> Tel Ph: 612-97017086 Fax: 612-9701 7501
> Mobile: 0409 073853
> Email: mohan.mysore AT qbe DOT com
> Web: www.qbe.com
>
>
>
>
> Leonardo Boulton
> <lboulton@CYBERTECHPRO To:
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> JECTS.COM> cc: (bcc: Mohan
Mysore/NSW/IITS/Insurance)
> Subject: Re:
[FW-1] Query: VPN between CP NG
> 29/05/2003 09:59 PM FP3 and Cisco 3000
concentrator
> Please respond to
> Mailing list for
> discussion of
> Firewall-1
>
>
>
>
>
>
>
> Mohan,
>
> I had the same problem and it took me a lot to find out what was
> happening. I found that the VPN Concentrator drops packets that come
> from networks that are not defined as part of his encryption domain or
> viceversa. In other words, make sure that the entire encryption domain
> of the VPN Concentrator is configured on the Check Point Objects, AND
> that the exact Check Point Encryption Domain is configured on the VPN
> Concentrator. Both domains must match exactly.
>
> I also found problems with the source and destination objects that you
> place on the rules of the Check Point Gateway.
>
> Hope this helps,
>
> L.
>
> On Wed, 2003-05-28 at 23:56, Mohan Mysore wrote:
> > Hi All
> > I am having issues setting up a VPN between a CP NG FP3 HF2
> > firewall running on a Nokia IP350 platfrom and a Cisco VPN
> > concentrator 3000
> series
> > running v 3.65R.
> > The issue being we are unable to succesfully setup a tunnel between
> > the 2 devices for IKE 3DES MD5 encryption using pre-shared secrets .
> > All that is displayed on the log is the initial Key exchange traffic
for
> > Phase 1and no successs with the Phase 2 if the key exchange is
initiated
> > from the CP end. But if the Xchange is from the Cisco end the Key
> exchange
> > is successful and we can see some ecnrypt traffic on the CP end but
> > the other end does not see any traffic coming in. It is the same
> > for the decrypt traffic coming from the Cisco to the CP . Any help
> > is appreciated on the issues... Thanks
> > Mohan Mysore
> > Insure IT Services
> > Tel Ph: 612-97017086 Fax: 612-9701 7501
> > Mobile: 0409 073853
> > Email: mohan.mysore AT qbe DOT com
> > Web: www.qbe.com
> >
> >
> >
> > ____________________________________________________________________
> > ____
> > IMPORTANT NOTICE : The information in this email is confidential and
may
> also be privileged. If you are not the intended recipient, any use or
> dissemination of the information and any disclosure or copying of this
> email is unauthorised and strictly prohibited. If you have received
> this email in error, please promptly inform us by reply email or
> telephone. You should also delete this email and destroy any hard
> copies produced.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription
> > options, email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
>
> ______________________________________________________________________
> __
> IMPORTANT NOTICE : The information in this email is confidential and
may also be privileged. If you are not the intended recipient, any use
or dissemination of the information and any disclosure or copying of
this email is unauthorised and strictly prohibited. If you have received
this email in error, please promptly inform us by reply email or
telephone. You should also delete this email and destroy any hard copies
produced.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
