You are mixing two diferent IOS features, i.e. "IPSec passthrough" and "NAT
Traversal (NAT-T)". Since you are dealing with another vendor's device,
configure NAT-T, as IPSec Passthrough is a vendor specific technology. Have
a look at this link:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_exampl
e09186a0080094ecd.shtml
Just make sure its enabled on the Check point side also. Its enabled on
Cisco routers by default starting with releast 12.2(13)T.
Regards
Farrukh
2009/6/4 W�W)W� W�W�W�W W� <eshedalonie_at_gmail.com>
> My mistake of the Topology
>
> FW(192.168.1.1)----->(192.168.1.2)Router(80.1.1.1)
>
> 2009/6/3 Ryan West <rwest_at_zyedge.com>
>
> > Hello,
> >
> > I'm not sure if I follow your scenario, are you trying to establish phase
> 1
> > using the public address of 80.1.1.1 to an internal router at
> 192.168.1.1?
> > Forwarding ISAKMP and ESP to the internal host should work, are you sure
> > aren't listening for IKE packets on R2 external interface?
> >
> > -ryan
> >
> > -----Original Message-----
> > Subject: PAT IPSec-FW Issue
> >
> > I have tried today to make PAT IPSec to a checkpoint FW, but without
> > succeed.
> >
> > R1(192.168.1.1) ----->(192.168.1.2) R2 (80.1.1.1)
> >
> > ip nat inside source static tcp 192.168.1.1 500 80.1.1.1 500
> > ip nat inside source static udp 192.168.1.1 500 80.1.1.1 500
> > ip nat inside source static ucp 192.168.1.1 4500 80.1.1.1 4500
> > ip nat inside source static esp 192.168.1.1 80.1.1.1
> >
> > Does anyone have ever tried to configure this even without a Checkpoint
> FW
> > -
> > could be ASA or any other FW Vender ?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 04 2009 - 13:30:08 ART