Hi, I haven't tried ISA-to-Check Point but VPN is a standard so they both should be able to communicate. I suppose there aren't any ACLs in the devices in the middle.
If 3389 is part of the encrypted services then you should not be able to see that in the external interface of CP as that should be in the tunnel. If you haven't done so, you can install pcap in ISA then use windump to do a "tcpdump" on the internal interface to see the traffic. Sorry I'm not much of a help but I do hope you get this working! Joseph On Wed, Dec 29, 2010 at 6:27 PM, Peter Addy <wavema...@yahoo.com> wrote: > Hi, > > has anyone out there had any experience with setting up a VPN between a > Checkpoint NGX R65 with a Microsoft ISA Firewall, Threat Management gateway > 2010 > > We have configured our Checkpoint as usual but with tunnel management set > as per > host. > > Strange thing is we can do the key exchange, exchange hosts, and can even > see > the application being tested incoming, the packets comes into our firewall > which > is then decrypted, this then Nat's correctly and so forth to the > destination > server, so all looks fine > > I even do a tcpdump on the internal interface on our firewall and can see > packets being exchange between the translation source IP and translated > destination server, however the user does not get any response back. > > If all looks fine and address translation is happening and we do not see > any > errors in our logs, then does anyone please know what might be the problem? > > Has anyone out there had any experience with setting up a VPN between a > Checkpoint NGX R65 with a Microsoft ISA Firewall? > > We have configured our Checkpoint as usual but with tunnel management set > as per > host for this one device > > The user below gets the messages in his ISA Firewall log > > Log type: Firewall service > Status: A connection was closed because no SYN / ACK response is received > from > the server > > > Log type: Firewall service > Status: A connection attempt failed because the connected party did not > properly > respond after a certain period of time, or established connection failed > because > connected host has failed to respond > > Is there anything I have missed, why would the user not get a response > back? > > Also if we do a tcpdump on the external interface of the firewall for the > host > address connecting, not the vpn gateway address, would we see this, or is > this > within the tunnel and the only thing we should see is ISAKAMP, reason I ask > is > that we do see on the external interface connections on say port 3389, > surely > this is not right > > Thanks > > > > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway.
