|
Posted by James on August 14, 2007, 1:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
OK, this is my situation.
I have a site-to-site VPN between a PIX and a checkpoint firewall, and
all works well. The type of VPN on the checkpoint side is, simplified. I
have one network on the checkpoint object for the VPN encryption domain,
and on network for the PIX object as the destination network. All
networks mirror each other.
As soon as the policy is pushed and the VPN is up, I can get to the
outside interface of the PIX (the tunnel terminating point.) As soon as
the tunnel is up and I try to get there by ICMP/traceroute, checkpoint
blocks it, and tracker says, no valid SA etc...
I’m confused at this and have tried all sorts to sort it. I need to
still get to the PIX on the external interface to manage it. I can put
in an exclusion for encrypting which seems to work, but that’s a bodge,
and I still can't see why that stops it as the outside interface isn't
in the encryption domain. If I try any other spare IP on the external
PIX LAN, things are fine, it’s just to the external IP of the PIX I’m
having problems with.
Does anyone have any ideas?
Kind regards.
James
|
| Similar Threads | Posted | | Checkpoint - Deny traceroute through checkpoint firewall | August 10, 2004, 3:27 pm |
| Checkpoint - NAT Help | February 7, 2005, 8:00 am |
| checkpoint | March 17, 2005, 5:12 pm |
| checkpoint fp1 +ike | October 25, 2005, 12:08 am |
| CheckPoint help on | September 15, 2006, 2:37 pm |
| Checkpoint QoS | October 24, 2006, 3:29 pm |
| checkpoint and static nat | August 3, 2004, 5:19 pm |
| Checkpoint and Cisco 501 | August 29, 2004, 10:47 am |
| Looking at PIX syslogs the CheckPoint way | December 21, 2004, 11:41 am |
| CheckPoint VPN Edge? | January 5, 2005, 8:40 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map