No Ping response from Site to Site connection between 876 of Cisco and CheckPoint Firewall

Hello!

We try to create a Site-to-Site - connection IPSec between a Cisco 876 (local site) and a control-firewall station (remote site). Cisco 876 is not directly connected to the internet, but it is behind a router ADSL with port-forwarding, redirection of ports 500 and 4500. The configuration of the Cisco 876 running is attached to this thread. Unfortunately, I get no results when debugging the connection with the command "debug crypto isakmp" and "debug crypto ipsec".

From the point of view of Checkpoint firewall the connection seems to be implemented, but there is no response from ping.

The server in the local site to be achieved since the network behind the firewall Checkpoint has a routing entry "PEI route add [inside the ip-net Remote] 255.255.255.0 [inside the premises of intellectual property]" (see also annex current config name ip addresses).

Establishing a VPN Cisco Client connection to the same router Cisco 876 works very well.

Any help would be much appreciated!

Jakob J. Blaette

Hi Jakob,

Add my two cents here.

You should always verify that the following ports and Protocol are open:

1 - UDP port 500--> ISAKMP

2 - UDP port 4500--> NAT - T

3-protocol 50---> ESP

A LAN-to-LAN tunnel will never establish a TCP session, but it could use NAT - T (if behind a NAT). Remember that a single translation isn't a port forwarding, a LAN-to-LAN tunnel is not good unless you have a one-to-one translation of the NATted device, which I think, in your case the router is working.

HTH.

Portu.

Please note all useful messages and mark this message as a response.

Tags: Cisco Security

Similar Questions

  • Connection between Windows media center and Xbox is lost when you try to watch movies

    I start watching movies via the windows media center and after a few minutes it turns off and it says that the connection between my pc and the xbox has been lost, I have previously watched movies like this with no problems and have not changed the settings of any sort help it would be appreciated

    Hi samperry,

    What is you receive the exact error message?

    Method 1: You can follow the steps mentioned in the article below
    What happens if the connection to the Windows Media Center computer is lost?

    Method 2:  You can see the steps outlined in the article below, which deals with a similar question

    Error: Session Terminated (when connecting a console Xbox 360 to a computer running Windows Media Center)
    http://support.Microsoft.com/kb/911123

  • Help with a variety of questions from site Web/mobile app. (Advice and assistance)

    Hello, my cousin today asked me for help with his business. He wants a website and a mobile application for his company. Now here's the thing. I know how to create a very simple Web site. This isn't a problem. but he wants people to be able to assess the services he wants to be able to report on the Web site so they can comment, send messages, the whole nine yards. He also wants people to be able to pay via the website using norton scan security. Now, I have no idea how to do that. And did I mention that he wants an app? So I do not expect an answer, step by step the "end to end" on the creation of a Web site. To start with. Is this kind of thing, possible using programs compared to the creative clouds? Is it possible to create an app? What happened to create a way for people to pay via the website? I just want to help in being directed to the right direction in this learning experience. Then, where I start, this kind of thing is still possible? where should I go? where can I learn? ect. Any help and advice is highly appreciated and welcomed. So please if you have something to say. I'm listening.

    Thank you, the community.

    The first thing I would ask that your cousin is timeline... He asks a little... it is a great project that could have involved more than one person, especially if he wants a custom application.

    Cost would also be an important factor in accepting this type of work, how do you charge him if you don't know even how to do most of these things... As you say, you don't have any idea how to make the most of this work, and I think there's a big learning curve with some of the things he asks.

    But if he has the time and money and you have the time and practice to learn, there are cloud programs to create out there who can do whatever he wants.

  • Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

    Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.

    Thank you

    GM

    Hello

    Please check the config below:

    HUBS:

    crypto ISAKMP policy 1

     BA 3des
    md5 hash
    preshared authentication
    Group 2
    life 86400
    crypto isakmp secretkey key address 0.0.0.0 0.0.0.0 (Having said that the dynamic router HUB remote routers have public ip address)
    Describe your valuable traffic. Note that I have sepcified for both tunnels, but basically, it will be the same for the rest out for the destination. For example, I used 192.168.1.0/24 and 192.168.2.0/24. You will need to replace it with your existing installation.
    TUN1 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    TUN2 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    Create your strategy to Phase 2
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    card crypto S2STUN 1-isakmp dynamic ipsec HUB_TUN
    crypto dynamic-map HUB_TUN 10

    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN1
    !
    crypto dynamic-map HUB_TUN 11
    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN2
    Now apply the card encryption to your WAN interface
    gi0/1 interface
    card crypto S2STUN
    Now configure on your remote routers
    Remote router 1
    crypto ISAKMP policy 1
    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB
    Remote router 2
    crypto ISAKMP policy 1

    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB

    HTH.
    Evaluate the useful ticket.
    Kind regards
    Terence

  • HP Officejet Pro 8600: No Wifi connection between the computer laptop and HP printer

    Hi, I just added W10 os for my laptop, I was on os W7, work system very well, my printer is Office Jet Pro 8600, both laptop and printer are connected to my wireless router, but my laptop cannot find my printer, I misplaced my original disc, can anyone advise me on what it takes to please. TIA

    Hi @Rockabilly,

    I was able to locate the software you're looking for, but from your description, not having is not the software may not be the question. I will first provide you with the software, then if you continue to have problems, let me know and we can go from there.

    Printers HP Officejet Pro 8600 Plus and Premium e-All-in-One

    E-all-in-one printer, HP Officejet Pro 8600 - N911a

    Alternatively, you can also download and run the HP printer install wizard for Windows

    The HP printer for window installation wizard was created to help users download and install the latest and most appropriate HP software solution for their HP printer.

  • DeskJet 6940: ethernet connection between the new modem and printer does not transmit Mac

    I just installed a new modem to Qwest; It works wirelessly with my iMac 10.11. My old (but functional until yesterday) Deskjet 6940 is connected to the modem via Ethernet. When I try to print, the document seems to be transmitted to the printer, but then it hangs on and I get the message "the printer is not connected" - which it is, plugged, ethernetted, and set in motion. Support of Qwest says that only 10% of the info from the computer are the printer, but he seems to think that the part of the new modem Ethernet is functional,

    I have already tried all unplug/restart/send/add printer new check/updates / IP (cannot connect) / ethernet ports and cables, etc.

    Any other ideas?

    Thank you!

    Hi @newgranny,

    Thanks for getting back to me.

    It is good that the printer has been able to print a diagnostic page.

    Ensure that the router and firewall on the market do not block these ports.

    Ports of printing:

    • UDP ports: 427, 137, 161
    • TCP port: 9100

    Card photo upload:

    • UDP ports: 137, 138, 427
    • TCP port: 139

    The HP device status:

    • UDP port: 161

    Ports of Web Services:

    • UDP and TCP: 80, 443, 5222 and 5223

    Hello Ports:

    • TCP and UDP: 5353 and 5297, 5298

    Unplug the wired network (ethernet cable), restore the default values on the printer.

    Restore the default settings.

    Follow these steps to reset the printer to factory default settings:

    1. check that the printer is on.

    2. press and hold down the button to report Page.

    3 while holding down three times the homepage button, press the Cancel button.

    4. release the report Page button.

    Source

    • Restart the printer.
    • Connect the ethernet cable.
    • What were the results?

    If the problem persists, try the USB connection.

    Please reply to this message with the results. Good luck!

  • Failed to get the connection between the router WRT54GS and roku

    Hello

    I am new to this. How can I get my router to connect to roku.

    When I enter my password router Roku he can't find the router. And when I use Cisco Network Magic, it does not find the Roku device.

    Thank you... I didn't was not completely able to get in... but I found that my personal wpa password was different from what I used... and then I've always had trouble getting in... but this has certainly helped.

    I entered the MAC address and then I was in!

    I am so grateful to all who have contributed and are looking for me and we all in this forum

  • Establishing a socket connection between a .swf file and a current-test program (TCP/IP generator - Windows), in AS3.

    I have a problem with a college project, I'm trying.

    Using Actionscript 3, I did a program simple .swf, a smiley face, lively and interactive, which "reacts" number entered in an input box.

    For purposes of this project, I now do the framework for establishing a connection socket with the smiley .swf and another program.

    That's where I run into problems. I have very little knowledge of the AS3 programming, so I'm not sure how the connection - what is required for it, it is.

    To test the connection, I try to use the "TCP/IP builder" program for windows, which allows me to set up a server socket. I need to program the .swf file into a client - to recognize, connect to it, then be able to receive data (so that data then allows for the smiley "react" him--like how he does now with the input-box, 'automatically' as it gets the data, rather than by manual input).

    My attempts at codification it are as follows, with the help of a tutorial (link HERE):

    INSERT HERE THE SOCKET STUFF

    //****************************************************************

    var socket:XMLSocket;

    Stadium. addEventListener () MouseEvent. ( CLICK, doConnect ();

    It connects to the local port, 9001 and applies event listeners

    ( function doConnect ()evt:MouseEvent():void

    {

    Stadium. removeEventListener () MouseEvent. ( CLICK, doConnect ();

    socket = new XMLSocket()'127.0.0.1', 9001);

    outlet. addEventListener () Event. ( CONNECT, onConnect();

    outlet. addEventListener () IOErrorEvent. ( IO_ERROR, onError ();

    }

    This locates the connection (allows us to see what has happened or failed)

    function onConnect () evt:Event():void

    {

    trace ("Connected"();

    outlet. removeEventListener () Event. ( CONNECT, onConnect();

    outlet. removeEventListener () IOErrorEvent. ( IO_ERROR, onError ();

    outlet. addEventListener () DataEvent. ( DATA, onDataReceived ();

    outlet. addEventListener () Event. ( NARROW, onSocketClose ();

    Stadium. addEventListener () KeyboardEvent. ( KEY_UP, keyUp ();

    }

    ( function onError() evt:IOErrorEvent():void

    {

    trace ()"Login failed"();

    outlet. removeEventListener () Event. ( CONNECT, onConnect();

    outlet. removeEventListener () IOErrorEvent. ( IO_ERROR, onError ();

    Stadium. addEventListener () MouseEvent. ( CLICK, doConnect ();

    }

    Here, the flash titles what keyboard key.

    If you press 'q', the connection ends.

    ( function keyUp() evt:KeyboardEvent():void

    {

    if (evt. ( keyCode == 81( ) / / key for q code is 81

    {

    outlet. Send ("exit");

    }

    on the other

    {

    outlet. Send (evt. keyCode );

    }

    }

    It must manage the data that we get from the server.

    ( function onDataReceived ()evt:DataEvent():void

    {

    try {

    trace ()"Server:", evt. data );

    }

    catch (e:Error) {

    trace ('error');

    }

    }

    ( function onSocketClose ()evt:Event():void

    {

    trace ()"Closed connection"();

    Stadium. removeEventListener () KeyboardEvent. ( KEY_UP, keyUp ();

    outlet. removeEventListener () Event. ( NARROW, onSocketClose ();

    outlet. removeEventListener () DataEvent. ( DATA, onDataReceived ();

    Try to connect to the Jack gives me no result (other than a "Connection failed" message when I click the .swf) or the following error message:

    Error #2044: unhandled securityError:. text = Error #2048: security sandbox violation: file:///C|/Users/Marko/Desktop/Završni/Flash%20documents/Smiley%5FTCP%5FIP%5Fv4.swf cannot load data from 127.0.0.1:9001.
    to the Smiley_TCP_IP_v4_fla::MainTimeline/doConnect()()[. Smiley_TCP_IP_v4_fla ] [MainTimeline: frame1:12]

    127.0.0.1 could be supported through your HTTP software, I'm not familiar with the tool you are using. It could also have been show in your hosts file (in Windows you will find here: C:\Windows\System32\drivers\etc). Check to see if something is the substitution of 127.0.0.1 (local loop).

    Apart from that, I've given you source to a rapid AIR server that has just opened a listener to 127.0.0.1:8910 so you would need no other tools to test the client, even if you have a. I just include the source and a product AIR installer so you can reproduce them to see that I do anything malicious. The Server.air file must be "installed" to test it. When you double-click it, it is a Setup. He moved to C:\Program Files (x 86) \Server (should have called something less common in hindsight). It also has a checkbox to run it after installation. If you don't you will see the server pop up a standard window of 550 x 400 with a text inside the box there letting you know that it is listening. Everything connects, messages (channels) and disconnects the will displayed in the Server text box.

    The customer is the only SWF file, you must run, after 'something' listening on the IP address and port configure you with.

    Here is a picture to show you the server is not running in the same folder the SWF did, tell the server and it only run the client exactly how I should it look like all together:

    I'll show you that after running the Server.air Installer, here is the the path of the executable file is running from and the client SWF isn't here. No problem connecting despite being in different places.

    The server is running and says that it is listening on 8910. Feel free to modify the source and reproduce for a different IP/port.

    -J' open the Client.FLA and just run. It creates a new socket, add headphones, connects to 127.0.0.1:8910.

    -The server responds that he sees and accepts the client connection. The server sends a message "connected." (10 bytes) to the customer immediately.

    -The client receives data (String), he draws. The customer sniffs for this specific message, and then sends the server a string "thanks for the connection!

    -The server receives and is coded only to echo the string in the "Echo - thank you to connect!" back to check that the chain is correct.

    -The customer receives the echo of servers (30 bytes), he draws.

  • Connection between Plantronics pulsar 590 and advent Toshiba Blootooth USB2 stack class 1

    I tried the following in both windows xp / and vista 64 using the relevant drivers found here worm 5.10.01
    http://APS.toshiba-tro.de/Bluetooth/pages/download.php

    Unfortunately, I get the same problem each time.

    After installing the software I match my helmet on the bluetooth receiver, it by default 0000, sometimes it matches sometimes it breaks down I don't know why.

    While using the bluetooth for windows software stack I see my device bluetooth and double left click to establish the connection.
    Green and yellow pipes connection icon light upwards and the unit begins to operate but between 20-25 second later the connection drops leaving only a gray helmet icon, he does this every time and so far I have not been able to use my headset.

    I tested the headset with a bluetooth phone and everything works very well and took the floor for plantronics who informed me to contact toshiba, I tried to talk to Toshiba support, but they say that they do not support the product. The headphone and usb battery is new.

    The product of the stack of blue tooth code is P/N-ADE-C1EDR.

    I'm not on a wireless network, but I have a logitech mx900 bluetooth mouse and a Logictech G7 wireless mouse.
    I tried the blue tooth usb device in different USB2 locations, including a new PCI USB2 card that I added.

    If anyone can help suggest to fix my problem, I'll be extremely Grateful.

    Thanks in advance

    Toshiba BT-Stack to take home and use the one in XP SP2 or Vista, inbuild. I recently bought a mouse V270 and couldn t install the program Logitech that I needed and I had trouble with the Nokia PC Suite as well. Now, I went to the BT-stack inbuild Vista (XP as well) and all problems are gone!

  • Network connection between Windows 7 Pro and Windows XP Pro wireless

    Nice day.

    I am trying to connect to a Windows XP pro to a home wireless network, hosted by a pc Windows 7 Pro. I can see all the other PCs on the XP pc but cannot get them to connect. When I click the icon for the Windows 7 pc and try to log in (open) he asks a user name and password but I don't know what is the user name. I guess the password is generated by the computer windows 7, when I set up the homegroup. Would you please advise me on what to do to make this work. Thank you.

    Hi ArnBas,

    Looks like you are facing a problem with network computers. I came to find this documentation for you who speaks the networking of the various versions of the computers.

    Just through the same thing and check if everything is fine with the settings. Also, take a look at this very useful information.

    I hope this helps!

  • Remote Desktop connection between my Windows 7 and a new friends Windows 8.1

    Hello. My friend just got his first computer and is completely lost. She has absolutely no experience with a computer and a computerphobe of full tilt. We are 400 miles away and tried to help him by phone with little luck. To make things worse, I think that someone in which she rose to set his computer did not understand 8.1 either. I've been computing for a long time and have studied 8.1 and feel comfortable with it. But I never configured before remote connection and am unsure of certain things.

    First the operating environment:

    My computer: Inspiron 560 s under Windows 7 Home Premium.

    I'm on a home using Netgear network. I'm not using a wifi connection.

    His new computer: desktop HP Pavilion Slimline model 300-413 running Windows 8.1.

    I'm not sure of its network connections.

    Note: I use this to 8.1 as a guide (the link opens the guide for Windows 7...? But I use the guide for 8.1)... http://Windows.Microsoft.com/en-us/Windows/Remote-Desktop-connection-FAQ#1TC=Windows-8

    I think I can happen by steps 1.a. to 1.e. without any difficulty.

    Now the questions:

    1. in step 1.e.1. regarding 'Locations', I don't know what are the options it will present with or should I tell him to choose?

    2. to step 2.b. on the 'system', I know that she must see 'Computer name' and 'Working group', but I'm not sure what she's going to see in which area '? This does not appear on my version of Windows 7.

    3. If I can talk to him through this, she will be able to watch what I'm doing on his monitor?

    Please keep in mind that it is a perfect beginner so no instructions to its end should be as simple as possible, and I am new to 8.1 and uncertain as to what exactly she will see during the installation.

    She told me yesterday that she is so frustrated that she's almost ready to throw it all in the street and forget it. So any help and advice would be greatly appreciated. Thank you.

    Mark

    We can help you help questions.  Frankly McAafee exhale is a good thing IMHO.  I would never use it for multiple reasons

    It can remove using this program to uninstall McAfee and use Microsoft Security essentials

    McAffe often contributes to BSOD

    I remove and replace it with Microsoft Security Essentials

  • connection between hp j3600 printer and the computer has been lost, how do restore you it?

    worked very well, yesterday.  connections verified.

    Have you restarted your computer?

    If it's a USB printer, try another port.

    Also make sure that the connection to the female port the printer fixed correctly and check to make sure that the male end is not twisted or damaged.

  • Establish connectivity between storage ESX3.5 and windows Server 2003

    Hello

    I installed the server on HP Blade BL 460c ESX3.5 evaluation copy which has 60 GB of space. I have HP AIO 600 box with 1 TB of capacity and running win2k3 server OS storage. I want to use partion on HP AIO 600 box for all my vitual servers.

    How can I configure NFS partion on the storage win2k3 server and add on ESX3.5 server so that I can even use all virtual servers?

    Do not know the server storage, but I guess that NFS is what you would use

    Check

    http://www.RTFM-ed.co.UK/?p=228

    http://VMblog.com/archive/2007/01/23/using-Windows-based-NFS-in-VI3.aspx

  • SR520, ping response

    Hello

    Not very familiar with the ZBF on the SR520, can anyone please provide me with a configuration allowing the SR520 send ping reply´s.

    Concerning

    Eivind

    Zone firewall configuration can be confusing, especially if one is used to the old configuration of the CBAC-type FW.

    Your best resource for this problem is the

    Design of the area Guide of Application and firewall policies

    http://www.Cisco.com/en/us/products/sw/secursw/ps1018/products_tech_note...

    Annex B has an example configuration that would allow ping responses.

    There are four basic steps to set up the firewall.

    (1) define areas

    (2) define the class cards to identify traffic between zones

    (3) create a strategy map that defines the action to be taken in terms of class

    (4) set up the pair area and apply the policy

    In Annex B, you'll see the class map specifying which traffic to inspect. The names of the class map and policy-map could be anything.

    class-map type inspect match-any L4-inspect-class
    
match protocol tcp
    
match protocol udp
    
match protocol icmp
    

    The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
    
If it was 'drop', the connection would be denied.
    

    
    policy-map type inspect clients-servers-policy
    
    class type inspect L4-inspect-class
    
      inspect

    

    Hopefully that helps!
    

    Addis

  • Network connections between VM and host is slow?

    I have problems with the speed between the host and the VM, connections is limeted and very slow. I'll open the file and copy and it's slowly. My OS is VISTA Business and VM on XP SP3. Connection between VM card is limited to me and see that trafficking is not very practical. If this can be rectified and speed up the connection between the virtual machine and the host.

    As I have written, you can use both at the same time. Just add a host connection only to the guest and make sure name resolution, host name (and the name of the client to the host) using the IP addresses assigned by DHCP VMWare Server for the host only (VMnet1, default) connection. The file "\system32\drivers\etc\hosts" ensures that this connection will be used, for example.

Maybe you are looking for