From: Ashok Gupta (ashok.gupta@gmconsultants.com)
Date: Tue Apr 15 2003 - 16:12:47 GMT-3
Hi All,
I hope if someone can help me.
The tunnel is establishing between checkpoint and cisco router
Packets are reaching from checkpoint to router R1
but packets from router are not reaching Checkpoint firewall, I wonder if
someone has come accross this
*Mar 1 00:33:26.271: ICMP: dst (158.43.128.1) host unreachable sent to
192.168.
200.111
*Mar 1 00:33:28.275: ICMP: dst (172.20.100.100) host unreachable sent to
192.16
8.200.111
*Mar 1 00:33:29.775: ICMP: dst (172.20.100.100) host unreachable sent to
192.16
8.200.111
*Mar 1 00:33:31.279: ICMP: dst (172.20.100.100) host unreachable sent to
192.16
8.200.111
I have pasted the config below of R1
Network
PC1-----------L1---------R1-------------C1-----------------L2---------PC2
PC1=192.168.200.111
L1=Lan behined R1 router
R1= Cisco 1721
C1= Checkpoint firewall NG3 on a nokia box
L2= Lan behind checkpoint firewall
PC2= 172.20.100.100
sh ver of R1
cisco 1721 (MPC860P) processor (revision 0x100) with 82470K/15834K bytes of
memo
ry.
Processor board ID FOC07060EMW (1942281137), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 FastEthernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
1 ATM network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write
Config on R1
conrtr1#sh run
Building configuration...
Current configuration : 1997 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname conrtr1
!
!
ip subnet-zero
!
!
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.200.1 192.168.200.109
!
ip dhcp pool A
network 192.168.200.0 255.255.255.0
dns-server 172.20.100.108 158.43.128.1
netbios-name-server 172.20.100.100 172.20.100.103
default-router 192.168.200.1
domain-name a.org.uk
netbios-node-type h-node
!
ip audit notify log
ip audit po max-events 100
!
isdn switch-type basic-net3
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 1800
crypto isakmp key aptrules address 195.194.51.104
!
!
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!
crypto map aptmap 1 ipsec-isakmp
set peer 195.194.51.104
set transform-set aptset
match address 110
!
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface BRI0
no ip address
encapsulation ppp
isdn switch-type basic-net3
ppp authentication chap
!
interface FastEthernet0
ip address 192.168.200.1 255.255.255.0
ip nat inside
speed auto
!
interface Dialer1
ip address 217.34.49.144 255.255.255.254
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxx@xxxx.btclick.com
ppp chap password 0 xxxxx
crypto map aptmap
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
no ip http server
!
!
access-list 110 permit ip 192.168.200.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 120 deny ip 192.168.200.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 120 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 120
!
ip router rip
version2
network 192.168.200.0
network 172.20.0.0
!
ip route 0.0.0.0 0.0.0.0 route Dialer1
!
!
line con 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
Thanks
Ashok Gupta
CCIE#10516
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:53 GMT-3