Cisco Pix 6.3(5) to Checkpoint FW VPN


I tried in vain yesterday to build a PIX site-to-site VPN to a 3rd Party who have a Checkpoint FW1.

I believe I know the issue as the debug cry ipsec sa gave me a 'proxy identities not supported'. A quick google suggests this is a mismatched ACL, however, I only have 1 x entry in my crypto ACL on the PIX so I guess it's how the Checkpoint represents that same.

The network:


The PC behind the Checkpoint initiates the VPN. It uses a NAT address on the outside of the Checkpoint (not the Checkpoint peer IP). When attempting to connect to the AS400 it does so on a public translatable static address.So in my crypto ACL I have 1 x line for return traffic from the AS400 as follows:

access-list blah host (static public IP of AS400) host (nat address of PC) etc.

The crypto map is between the outside public IP's of the 2 x firewalls and references access-list blah. NB IPSEC Phase 1 completes OK.

A colleague has suggested that the Checkpoint may 'tag on' another entry in it's equivalent crypto list, namely it's peer IP address to my static IP for the AS400. Originally I actually thought this was something to do with NAT-T - It isn't in the PIX config anywhere and I don't know if it is supported out of the box on the Checkpoint.

Anyone seen anything like this before. Apparently it happens quite a lot between these 2. The Checkpoint people have told me they only have 1 x permit allowing their private hosts (10.2.X.X /16) to use the NAT. This is different to how the PIX does it as it is public to public.



Reply to
Darren Green
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.