1

I have two servers:

  1. Checkpoint Safe@Office 500 with ip x.x.x.x and local network a.a.a.a/24
  2. Cisco ASA5505 with ip y.y.y.y and local network b.b.b.b/28

Before setting up a vpn I was able to ping y.y.y.y from any machine on a.a.a.a/24.

My issue is that after setting up a vpn between the 2 servers in question I'm no longer able to ping y.y.y.y from a.a.a.a/24. Does anyone know why this might be?

My guess is that a ping to y.y.y.y is needlessly being routed through the vpn tunnel but I'm not sure how to prevent that from happening. Also, if it is going through the vpn then why doesn't the vpn allow it.. a clue to this might be in the asa5505 logs which state:

Group = x.x.x.x, IP = x.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy a.a.a.a/255.255.255.0/0/0 local proxy y.y.y.y/255.255.255.255/0/0 on interface Outside

Once again my issue is that I'm incapable of interpreting this error.

James
  • 325
  • 2
  • 10
  • 22

2 Answers2

1

In the case of a client vpn the vpn client is instructed to send all traffic through the VPN by default, ie anything on a network that isn't directly connected. Your routing table is ignored. You'll need to enable split tunneling on the ASA if you don't want all traffic to be sent down the VPN tunnel when you are connected.

Cisco split tunneling howto

paulos
  • 1,694
  • 9
  • 12
  • Hi, thanks for your reply. The VPN is site-site rather than client, does this matter? – James Sep 15 '11 at 14:58
  • Ah, I see. You can ignore what I said about split tunneling then, that only applies to a client vpn. *edit* Serverfault won't let me put any kind of formatting in this comment - I'll write another answer! – paulos Sep 16 '11 at 08:52
1

If this is a lan to lan vpn with a topology something like this:

                       <------VPN------> 
a.a.a.a/24---[Checkpoint]---Internet---[ASA]---b.b.b.b/28
               x.x.x.x                y.y.y.y

You are unable to ping the ASA when the VPN is up because Check Point firewalls include themselves in the local encryption domain whilst ASA does not.

The easiest solution would be to add the ASA's external address to it's local encryption domain, so the crypto acl on the ASA should be something along the lines of:

access-list asa-checkpoint-vpn_acl permit ip host y.y.y.y host x.x.x.x
access-list asa-checkpoint-vpn_acl permit ip host y.y.y.y a.a.a.a 255.255.255.0
access-list asa-checkpoint-vpn_acl permit ip host b.b.b.b 255.255.255.240 a.a.a.a 255.255.255.0
paulos
  • 1,694
  • 9
  • 12