Yes this is sounding a lot more complex than I originally thought :o Ok so both Cisco routers have a VPN tunnel to the Checkpoint firewall. The Cisco routers are not VPN'd directly to each other. There are different networks, same subnet at each location. So one office has 172.16.1.0 which is checkpoint, then one Cisco router uses 172.16.3.0 and the other 172.16.4.0. All have 255.255.255.0 mask. So is it sounding like the subnet mask needs to be changed somewhere?
Lee Robinson Network Administrator -----Original Message----- From: Previtera, Sal [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 6:36 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN mesh problem between cisco 1720, cisco 806, and Ch eckpoint NG FP3 Lee, I am still confused.... Does the 1st Cisco router has to go thru the Checkpoint FW in order to reach the 2nd Cisco router?. Or 1st router can reach the 2nd router directly without going thru the Checkpoint FW?. I am asking the questions, because if router #1 can reach router #2 directly, then you may need different configuration on the Cisco routers to allow for 2 different VPN domains (the word here is VPN domain!), one for the Checkpoint/Fw connection and the other to have the 2 router connect directly to each other via VPN tunnel. Each tunnel having different subnets behind the public interface, I am assuming (if not then NAT will be involved!) Regards. -----Original Message----- From: Lee Robinson [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN mesh problem between cisco 1720, cisco 806, and Ch eckpoint NG FP3 Yes, Checkpoint is in the center of the mesh, but I should also say I am using traditional policy, not simplified. I shouldn't have to do anything or much at all to the Checkpoint since the leg I want to create is going directly from one cisco router to the another cisco, correct? I just think it's strange I'm not seeing any negotiation taking place. I have all the crypto debugging on the Cisco but nothing is coming across in reference to the new tunnel. I only see crypto messages from the existing tunnel. Lee Robinson Network Administrator Pacific Coast Steel 619.286.3405x111 -----Original Message----- From: Previtera, Sal [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 6:41 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN mesh problem between cisco 1720, cisco 806, and Ch eckpoint NG FP3 Lee, The assumption here is, (since you have not clarify) that the Checkpoint FW is the center of the Mesh Community defined in the VPN manager in the NG configuration, is that correct or the Checkpoint FW is just a pass-thru? Thanks, Sal. -----Original Message----- From: Lee Robinson [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 04, 2004 7:18 PM To: [EMAIL PROTECTED] Subject: [FW-1] VPN mesh problem between cisco 1720, cisco 806, and Checkpoint NG FP3 I am having a problem establishing a 3DES IPSEC VPN tunnel going from a Cisco 1720 and Cisco 806 router. Currently Checkpoint is in the middle of these two routers. The 1720 and 806 LANs can see the Checkpoint LAN just fine. The 1720 and 806 LANs cannot see each other though. I have been trying to do a "mesh" topology to where the two Cisco routers would establish a 3rd "leg" to the VPN. Then the 806 and 1720 LANs should be able to communicate. I completed the configuration on both routers but I am not seeing any negotiation at all between them. So far I am thinking it has to do with a route-map setup to prevent NATing through the tunnels OR it's a simple routing issue. If anyone has any ideas PLEASE contact me or reply to this list. Below is what I have on one of the remote routers for nat and access lists.... crypto map aptmap 1 ipsec-isakmp set peer <remote IP> set transform-set aptset match address 110 crypto map aptmap 3 ipsec-isakmp set peer <remote ip> set transform-set la2bayset match address 130 ip nat inside source route-map nonat interface Ethernet1 overload access-list 110 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log access-list 120 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 120 permit ip 172.16.4.0 0.0.0.255 any access-list 120 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 access-list 130 permit ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 route-map nonat permit 10 match ip address 120 Lee Robinson Network Administrator Pacific Coast Steel 619.286.3405x111 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
