Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secureremote client connection through site-to-site VPN

Status
Not open for further replies.
mdc1973

mdc1973

Technical User
Jul 7, 2003
31
GB
Need some help if possible...I have a Checkpoint NG AI R54 firewall with a VPN to a Pix (not managed by me). There are also Secure Remote users connecting to the Checkpoint, who are assigned an IP in the 172.x.x.x range by the firewall.

I currently have a problem whereby a secure remote user wants to get to servers behind the Pix (IP 10.x.x.x). ie connect to the Checkpoint via secure remote then back out the same (external) interface to cross the VPN to the Pix.

I have rules in place as follows:

Src: secure-remote users
Dest: all internal nets + 10.x.x.x
VPN: remote-access VPN

and

Src: all internal nets + secure remote IPs
Dest: 10.x.x.x
VPN: site-to-site VPN

At the moment, when a connection is made to a server behind the pix, I can see in the logs the packet being decrypted using the secure remote rule. However, output of a tcpdump on the external interface shows the echo-request from 172.x.x.x to 10.x.x.x but nothing coming back (icmp is allowed across the tunnel). This makes me think the packets are not being encrypted although the 172.x.x.x range is part of the encryption domain.

Hope this makes some sort of sense, but any ideas of a) whether this is possible to get working and b)...how?
 
Sort by date Sort by votes
Sorry, it's secure client, not secure remote...
 
Upvote 0 Downvote
Just a thought... I assume that your Checkpoint to PIX VPN tunnel is defined in the VPN communities as a Site to Site? If it is have you configured it to talk to 'Center' only? Is it possible that it needs to be allowed to route to 'other VPN targest'?

I may be well off target here but it is all I can think off!?
 
Upvote 0 Downvote
make sure the servers/network behind the pix are part of the encryption domain.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
287
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
282
intel233
intel233
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
60
wrighbr1
wrighbr1
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
121
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top