Checkpoint FW to ISA2004 VPN to Internet

Checkpoint FW to ISA2004 VPN to Internet

Post by ccna5 » Sat, 05 Nov 2005 01:31:18

I have a Checkpoint FW setup in front of an Nated ISA2004 VPN server
with 2 Nic's installed the problem i am having is when a Remote VPN
Client vpn's into the ISA 2004 server they can browse the network
without any issues however if the same client wants to goto the
internet while connected to the VPN it seems as thou the ISA 2004
server is not routing them back to the Checkpoint FW to goto the

Config is as follows.

--->Remote VPN Client-------->Checkpoint FW -------->Nated ISA2004 vpn
Server -------LAN

On the ISA 2004 server both Nic's have an internal address assigned to
them however one of those are Nated from the Checkpoint FW.
I think the issue maybe when you put a rule in the ISA2004 firewall to
allow internet browsing you say go to external yet both nic's are
technically internally defined.How can you tell the ISA 2004 server if
you can find the address reroute it back to the Checkpoint FW.

These are examples only not true settings
( Nated to internal address of Called External
Nic#1 allowing only PPTP No Gateway on Nic)--(Nic#2 Called internal is
addressed with a Gateway of Checkpoint FW).
The Network of is defined as internal in the properties.
Basically how can i have a Nated ISA2004 server behind a different

Hope i explained it ok..

Thanks in advance.

1. Cisco 1721 to Checkpoint FW-1 NG VPN

2. Cisco Pix 6.3(5) to Checkpoint FW VPN


I tried in vain yesterday to build a PIX site-to-site VPN to a 3rd Party who
have a Checkpoint FW1.

I believe I know the issue as the debug cry ipsec sa gave me a 'proxy
identities not supported'. A quick google suggests this is a mismatched ACL,
however, I only have 1 x entry in my crypto ACL on the PIX so I guess it's
how the Checkpoint represents that same.

The network:


The PC behind the Checkpoint initiates the VPN. It uses a NAT address on the
outside of the Checkpoint (not the Checkpoint peer IP). When attempting to
connect to the AS400 it does so on a public translatable static address.So
in my crypto ACL I have 1 x line for return traffic from the AS400 as

access-list blah host (static public IP of AS400) host (nat address of PC)

The crypto map is between the outside public IP's of the 2 x firewalls and
references access-list blah. NB IPSEC Phase 1 completes OK.

A colleague has suggested that the Checkpoint may 'tag on' another entry in
it's equivalent crypto list, namely it's peer IP address to my static IP for
the AS400. Originally I actually thought this was something to do with
NAT-T - It isn't in the PIX config anywhere and I don't know if it is
supported out of the box on the Checkpoint.

Anyone seen anything like this before. Apparently it happens quite a lot
between these 2. The Checkpoint people have told me they only have 1 x
permit allowing their private hosts (10.2.X.X /16) to use the NAT. This is
different to how the PIX does it as it is public to public.



3. Configure OpenBSD VPN to match Checkpoint FW

4. Checkpoint 4.0 FW blocks VPN tunnel traffic

5. Cisco VPN client OK - Checkpoint VPN client not OK


7. Connecting with Cisco VPN Client to Check Point VPN Endpoint / FW

8. ISA2004: Access ule of application not working when FW Client enabled?!?

9. Autodetection FW client ISA2004 not working!

10. ISA2004 FW client - not working, not detected on clients

11. VPN3k & Checkpoint FW "cluster"

12. Multicast through Checkpoint FW?

13. Q. ZoneAlarm like Personal Firewall but using a Checkpoint Fw product/client ???

14. checkpoint FW-1 address spoofing log entries

15. Moving old fw rules to new checkpoint r55