Sometimes just changing the ike_largest_possible_subnet parameter in the $FWDIR/conf/objects_5_0.C file will not be enough and you will need to edit a file name $FWDIR/lib/user.def
Sagiv -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Sunday, July 31, 2005 3:44 PM To: [email protected] Subject: Re: [FW-1] Checkpoint R55 and Cisco PIX Site to Site VPN Well, you need to read the document more closely... For that situation, you need to do the following: on checkpoint side: 1) modify the ike_largest_possible_subnet parameter via dbedit or gui-dbedit from true to "false", 2) put in the appropriate rule to allow vpn traffics. On the Pix side: 1) create two access-lists, one ACL will be applied to your NAT 0. The other ACL will be applied to the crypto map. 2) In the ACL that will be used for the crypto map, you just allow access from a specific host behind the pix to access the entire CP encryption domain or whatever you choose. By making the ike_largest_possible_subnet, you will have the workaround for checkpoint supper-netting. I run into this problem all the times with VPNs between CP and Cisco devices (Cisco IOS, VPN concentrator, Cisco pix, etc...) HTH Sagiv Filler <[EMAIL PROTECTED]> wrote: Well...... This document is o.k. in case you need to be able to encrypt to the entire encryption domain in both sides. However sometimes this is not the case. Sometimes you need to be able to open an encrypted connection only to one or lets say 5 machine (on the checkpoint side) from that specific PIX while allowing a different CP to get access to the entire encryption domain. In this case you will encounter problems because of checkpoint's super netting Sagiv -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of no-need to-list Sent: Thursday, July 28, 2005 8:25 PM To: [email protected] Subject: Re: [FW-1] Checkpoint R55 and Cisco PIX Site to Site VPN This document from the Cisco site will help you....... http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e xample09186a00800ef796.shtml http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e xample09186a00800b4b40.shtml Sathya Prakash J wrote: Hi Can anyone share a document on configuring site to site VPN between CISCO PIX and Checkpoint R55 ? Regarsd Sathya Prakash ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Start your day with Yahoo! - make it your home page ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************ ************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
