Yes, it's possible to configure a group of subnets that are to be included in the "encryption domain" on the Cisco concentrator. When you set up the LAN-to-LAN settings on the Cisco box down towards the bottom are the settings for the remote and local networks. If there are multiple networks on both sides you will need to use the "network list" option for the remote and local settings. To define a network list see the link below:
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801055eb.html#xtocid13 Hope this helps. Jeffrey Shuron Security Specialist- CCSA, GSEC, CCNA, MCP MPR Technologies 315-345-3015 [EMAIL PROTECTED] www.mprtech.com |--------+----------------------------------------------> | | Leonardo Boulton | | | <[EMAIL PROTECTED]> | | | Sent by: Mailing list for discussion| | | of Firewall-1 | | | <[EMAIL PROTECTED]| | | point.com> | | | | | | | | | 01/03/2003 07:14 AM | | | Please respond to Mailing list for | | | discussion of Firewall-1 | | | | |--------+----------------------------------------------> >-----------------------------------------------------------------------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [FW-1] Cisco to Check Point VPN | >-----------------------------------------------------------------------------------------------------------------| Hi lads, I've been trying to configure a VPN between a Check Point NG (FP1 and FP3) to Cisco Concentrator 3000 VPN. Finally, I was able to establish the tunnel. I had the following problem: |-------[CP NG FP3]----Internet----[Cisco]----| Net 1 Net 2 When I ping (as in access anything at all) from Net 2 to net 1, everything is fine.... when you try to ping from net 1 to net 2 only phase 1 is completed but phase 2 isn't. The message that I get in both logs is that the Cisco is sending a "delete SA" message to the Check Point peer. After some research, I found out that this is due to the Cisco peer: both encryption domains must be set exactly alike. I mean, both Encryption domains must be configured as the same subnetwork... it is not posible for you to have a Class B encryption domain defined for the Check Point (in the Check Point object) and a class C encryption domain defined in the Cisco side (for the Check Point encryption domain). I configured the same subnet as the Check Point encryption domain in both peers, and everything worked fine. Now, I have the following question for you guys.... what if I have a group defined in the Check Point side as the encryption domian?. It is not posible to configure a group on the Cisco side... it has like a field that you can fill with a subnet and a mask (I don't know that much of the Cisco concentrator, actually, I don't know anything at all!, that's why I came to you....). Is it posible to define like a group, or a list, as an encryption domain?. What should/can I do?. Cheers, nd thanks, LB ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
