Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possib

Subject:	Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 26 Jun 2006 11:49:43 -0700

Hi Alan,
  It really depends but I would have to say "yes" that it would affect other 
active
  VPN tunnels.  
   
  Gui-dbedits or dbedit is an utility that you use to modify checkpoint 
database 
  parameters.  As far a the user.def syntax is concerns, let say if my local 
network
  has 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24.  Instead of letting
  CP suppernet it to 192.168.0.0/23, I can tell CP NOT to by modify the 
user.def file to
  this:
   
  // User defined INSPECT code
//
  max_subnet_for_range = {
<192.168.0.0, 192.168.0.255; 255.255.255.0>,
<192.168.1.0, 192.168.1.255; 255.255.255.0>,
<192.168.2.0, 192.168.2.255; 255.255.255.0>
};
   
  As always, please make a backup of your original user.def file prior to making
  any changes to it
   
  HTH.

Alan Choyna <achoyna AT PATHF DOT COM> wrote:
  Thanks cicso4ng,

Would the mods mentioned in part 1 of the "keep in mind" list affect 
other VPN tunnels we have active?

Also, forgive my ignorance, what is "gui-bdedit"? and what is the 
sytax for adding the networks to $FWDIR/lib/user.def?

Thanks,

Alan

At 05:19 AM 6/26/2006, cisco4ng wrote:
>A few things to keep in mind when doing IPSec between checkpoint and 
>Pix devices:
>
> 1) Checkpoint tends to "suppernet" the network so be careful 
> about this because
> this will cause problem and Quick Mode (aka phase II) will 
> fail. To fix this, set
> "IKE_largest_possible_subnet" via gui-dbedit from true to 
> false. Furthermore,
> you can modify the file $FWDIR/lib/user.def and include every 
> network on the
> checkpoint side to prevent the suppernet situation
>
> 2) make sure that you have the timeout setting match on both CP 
> and Cisco Pix.
> The default timeout for CP is 86400 sec and 3600 sec for phase I 
> and phase II,
> respectively. On the pix, the default timeout setting is 86400 
> and 28800 for phase I
> and phase II, respectively. To change this on the Pix, do this:
> crypto map xxx set security-association lifetime seconds 3600
>
> Other than that, you site-to-site VPN should work without issues 
> regardless, you
> have Nokia or SPLAT.
>
> HTH
>
> cisco4ng
> CCIE Security
>
>
>Edouard Zorrilla wrote:
> Hi Alan,
>
>I have done it before with a NG AI and Cisco PIX 6.3 IOS, so I guess it
>should work in a SPLAT like yours,
>
>Regards
>----- Original Message -----
>From: "Alan Choyna"
>To:
>Sent: Sunday, June 25, 2006 9:32 PM
>Subject: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515
>possible?
>
>
> >l have been asked to investigate the potential of creating a VPN tunnel
> >between one of our SPLAT R55 (HFA09) firewall clusters and a Cisco Pix 515.
> >
> > The sys admin who manages the Cisco says it is not possible. Does anyone
> > know if it is possible? If so are there any gotcha's? Is the a standard
> > config l should use?
> >
> > Thanks in advance.
> >
> > Al
> >
> >
> > Alan C. Choyna
> > Director of Infrastructure
> >
> > Pathfinder Associates, LLC
> >
> > http://www.pathfinderassoc.com
> > Internet Strategy Business Consultants
> > mailto:achoyna AT pathf DOT com
> > Business telephone (312) 372-1058 ext 6003. Mobile (773) 255-6662
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>
>
>---------------------------------
>How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


                
---------------------------------
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
                        
---------------------------------
Sneak preview the  all-new Yahoo.com. It's not radically different. Just 
radically better. 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Edouard Zorrilla Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, cisco4ng Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, cisco4ng <=

Previous by Date:	Re: [FW-1] Solaris upgrade, Neil Kemp
Next by Date:	Re: [FW-1] Solaris upgrade, cisco4ng
Previous by Thread:	Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna
Next by Thread:	[FW-1] Can I use SmartView Reporter license with Eventia Reporter?, Alex S.
Indexes:	[Date] [Thread] [Top] [All Lists]