• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

CheckPoint Firewall problem

Joined
Dec 7, 2005
Messages
557
Wondering if anybody that manages Checkpoint firewalls can help me.

We upgraded from Cisco ASA to checkpoint and on one of our VPN tunnels we translate the source IP addresses from an inside network. ( i.e. 10.1.1.0 /24 to 10.90.90.0 /24) and then send the traffic over the tunnel. The other side needs to see our traffic as 10.90.90.0.

However I keep getting SA encryption errors in the logs. If anyone can help that would be great.
 
lolling at the "upgrade" from an ASA to a Checkpoint... also at the private to private NATing + tunneling going on...

I'd say call Checkpoint's support but the odds of them solving anything are slim to none in my experience.
 
lolling at the "upgrade" from an ASA to a Checkpoint... also at the private to private NATing + tunneling going on...

I'd say call Checkpoint's support but the odds of them solving anything are slim to none in my experience.

It is an upgrade. Checkpoint gateways are extremely secure and can do on one appliance what you'd need multiple to do with other vendors. For example, their software-blade architecture (IPS blade). Anyway, OP, from what you described two things you need to check on. First, what is the VPN object encrypting on for IKE phase 1/2? Also make sure you have define a VPN domain (local) in the object itself. Also what are the flags do you see in Smart Tracker when you filter that connection?

Finally, this is an R75.xx gateway? Splat, IPSO?

Edit: Why are you NAT'ing over a VPN tunnel? There is no need.
 
Last edited:
Might need to NAT if there is a 10.1.1.0/24 network already on the other side... Correct?
 
Might need to NAT if there is a 10.1.1.0/24 network already on the other side... Correct?

There are other ways to prevent over-lapping networks in CP. Then again, there is a difference between manual-NAT and static-NAT.
 
Wondering if anybody that manages Checkpoint firewalls can help me.

We upgraded from Cisco ASA to checkpoint and on one of our VPN tunnels we translate the source IP addresses from an inside network. ( i.e. 10.1.1.0 /24 to 10.90.90.0 /24) and then send the traffic over the tunnel. The other side needs to see our traffic as 10.90.90.0.

However I keep getting SA encryption errors in the logs. If anyone can help that would be great.

Did you get this figured out?
 
Back
Top