Hello, I have configured 3 vpns using ISA and Checkpoint, the major problem is to configure properly the ISA server. Overall, check the Firewall rules at ISA server site, maybe packets are dropping at ISA server before get to the end user. If you see encrypted/decrypted traffic at your side( with the right source and destination) it means Phase 2 is UP...I'll see if I can get you a printscreen of the ISA config.
Rgds.. -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de Peter Addy Enviado el: Thursday, December 23, 2010 3:12 PM Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Asunto: [FW-1] Site 2 site VPN between Microsoft ISA Firewall to Checkpoint NGX R65 incoming Hi, has anyone out there had any experience with setting up a VPN between a Checkpoint NGX R65 with a Microsoft ISA Firewall. We have configured our Checkpoint as usual but with tunnel management set as per host. Strange thing is we can do the key exchange, exchange hosts, and can even see the application being tested incoming, the packets comes into our firewall which is then decrypted, this then Nat's correctly and so forth to the destination server, so all looks fine I even do a tcpdump on the internal interface on our firewall and can see packets being exchange between the translation source IP and translated destination server, however the user does not get any response back. If all looks fine and address translation is happening and we do not see any errors in our logs, then does anyone please know what might be the problem? Has anyone out there had any experience with setting up a VPN between a Checkpoint NGX R65 with a Microsoft ISA Firewall? We have configured our Checkpoint as usual but with tunnel management set as per host for this one device The user below gets the messages in his ISA Firewall log Log type: Firewall service Status: A connection was closed because no SYN / ACK response is received from the server Log type: Firewall service Status: A connection attempt failed because the connected party did not properly respond after a certain period of time, or established connection failed because connected host has failed to respond Is there anything I have missed, why would the user not get a response back? Also if we do a tcpdump on the external interface of the firewall for the host address connecting, not the vpn gateway address, would we see this, or is this within the tunnel and the only thing we should see is ISAKAMP, reason I ask is that we do see on the external interface connections on say port 3389, surely this is not right Thanks Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. IƧ��[�(^rC��{S�֥I�.�+r�^��� ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================