Sunday, June 24, 2007

Checkpoint and Cisco site-to-site VPN

This guide shows you how to create site-to-site VPN tunnel between checkpoint firewall and cisco router. Let's begin:

Checkpoint
IP address: 1.1.1.2
Network behind: 172.20.200.0/24

Create a network object that is the network that will be sitting behind the new Cisco router



Set the NAT – for Internet routing

2

Create a network object that is the network that will be sitting behind Checkpoint firewall:

3


Set the NAT – for Internet routing

4

Create a new interoperable device on CheckPoint for Cisco router

5

On Topology option, add external Interface

6

Note picture above is wrong (should be 1.1.1.1) – sorry$
Mark it as an external interface

7

Create an internal Interface:

8

Mark it as an Internal interface which leads to the network behind Cisco router

9

On the VPN domain option, choose manually defined: and assign the network that is behind Cisco router

10

On the VPN Manager, create a new community or join the new interoperable device to the existing community (either meshed or star)
Create a new one:

11

On the participating gateway, put the Cisco router and Checkpoint firewall

12

On the VPN properties, make sure the phase 1 and phase 2 is having the same setup in both Cisco (later) and Checkpoint
In this example we are using 3des-md5 for phase 1 and aes-128-md5 for phase 2

13

On the Advanced Properties, make sure the phase 1 and phase 2 is having the same setup in both Cisco (later) and Checkpoint
In this example we are using group 2 for phase 1 diffie-hellman group
Disable NAT inside VPN community – so that site-to-site VPN is not Natted

14

On Shared Secret page, put the share secret on to be used with Cisco router:

15

Create a rule in Checkpoint firewall to encrypt the traffic between network behind each firewall:

16

Push the policy to the CheckPoint firewall!

Cisco
IP address: 1.1.1.1
Network behind: 172.20.199.0/24

Create the isamkmp policy:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2


Create the crypto key:
crypto isakmp key address 1.1.1.2 no-xauth

where shared-key is the shared key you setup in Checkpoint and 1.1.1.2 is the checkpoint IP address

Create transform set:
crypto ipsec transform-set cm-transformset-1 esp-aes esp-md5-hmac

Create the crypto-map:
crypto map cm-cryptomap 1 ipsec-isakmp
description VPN tunnel to Checkpoint
set peer 1.1.1.2
set security-association lifetime seconds 28800
set transform-set cm-transformset-1
match address 111


Create the outbound access list inside VPN (allow Cisco network to Checkpoint network):
access-list 111 permit ip 172.20.199.0 0.0.0.255 172.20.200.0 0.0.7.255

Create the inbound access list for external interface:
access-list 101 permit icmp any any
access-list 101 permit ip 1.1.1.2 0.0.0.0 any
access-list 101 permit ip 172.20.200.0 0.0.0.255 any
access-list 101 deny ip any any log

Assign crypto-map to the external interface:
interface Serial0/0
bandwidth 2048
ip address 1.1.1.1 255.255.255.0
ip access-group 101 in
no ip proxy-arp
ip nat outside
ip route-cache flow
no cdp enable
crypto map cm-cryptomap

Configure internal interface:
interface FastEthernet0/0
description Cisco LAN
ip address 172.20.199.254 255.255.255.0
no ip proxy-arp
ip nat inside
ip route-cache flow
speed 100
full-duplex
ntp broadcast
no cdp enable


Create the NAT rule:
ip nat inside source route-map nonat interface Serial0/0 overload
route-map nonat permit 10
match ip address 150


Create access list for NAT:
Do-not NAT traffic between sites
NAT everything else

access-list 150 deny ip 172.20.199.0 0.0.0.255 172.20.200.0 0.0.0.255
access-list 150 permit ip 172.20.199.0 0.0.0.255 any