ASA 5505 to Checkpoint site to site multiple subnets

[someguy758]

Hello,
We would like to get a site to site vpn tunnel running from ASA5505 to checkpoint firewall involving multiple subnets on the ASA side.
The ASA Network: there are 6 other locations
loc 1: 12.0.1.0
loc 2: 12.0.2.0
loc 3: 12.0.3.0
loc 4: 15.1.1.0
loc 5: 15.1.2.0
loc 6: 15.1.3.0

ASA inside: 12.0.5.5
Router ( to other locations): 12.0.5.1

Checkpoint inside: 162.15.1.30

I can ping those 6 locations from behind the ASA.
It is setup right now but there is a one way traffic flow from the ASA to the checkpoint. If the check point side tries to ping any of the 6 remote locations I see it trying to establish a new tunnel sending the remote proxy as the public ip of the checkpoint, finding no cryptomap to match of course.

ASA config will follow shortly. Just getting the cisco minds going on this.

 

[desperado618]

The Checkpoint is supernetting. This is classic Checkpoint behavior. Whenever multiple encryption domains are used, and the VPN only works to the CP but not from it, it is supernetting. There are several ways they can address the issue on their side including changing the negotiation to per host (resource hog), making a DB change, switching from traditional mode to simplified, and applying an HFA.

Ikeview is a good tool to identify supernetting:

http://netleets.com/phpbb3/viewtopic.php?f=2&t=13

They can also try these 2 commands:
fw tab -t vpn_enc_domain_valid -f –u
lists encrypt domains
cpstat -d vpn -f IKE
lists vpn issues and peers.

http://www.NetLeets.com

IT Security news and information
In plain English