One Interface Configured as External Connected to Checkpoint NG R55 With IP add 192.168.2.2/24 and default gateway 192.168.2.1 (Chekpoint firewall)
One Interface Configured as Internal Connected to Internal network (192.168.1.0/24) with IP add 192.168.1.5/24 and no defaul gateway
I am able to ping Checkpoint firewalls both interfaces and even internet sites from ISA 2004 and from Internal workastations but I am unable to ping from Checkpoint to ISA 2004 Internal Interface i.e. 192.168.1.5. and internal network even though I created Network relationship and access rute to allow ping traffic on ISA 2004. A starnge behaviour is that when I stop Checkpoit Firewall-1 service on windows 2000 machine the same machine able to ping ISA 2004 and internal network.
I dont know where is the problem i tried everything what could i do. I need help.
Relation Source Network Destination Network 1- Route Local Host All Networks(and Local Host) 2- NAT Internal External 3- Route External Internal -----------------------------------------------------------------
after continued attempt to solve the problem now I am able to connect Checkpoint firewall to ISA 2004 but i had to disable Anti-spoofing on Internal interface of checkpoint firewall. i think it is not a good solution as it will weak the security. To test that no security rule on check point is creating problem I placed only one rule on checpoint firewall as given below
Source Dest VPN Service Action Track Install on Time any any any any accept none gateway any
Any networks behind FW-1 must be defined in its "VPN Domain" setting. Go into the firewall object, topology section, and see what you have defined for the VPN Domain. I'm betting it's the "as defined by interface" setting (I can't remember the exact phraseology).
If it's set this way, then only the network that is reachable will be the one that's set on the firewall topology for the internal interface.
What you probably need to do is define a new Network Group in FW-1. You then need to define a network object for each subnet behind FW-1. Place each of these network objects into the network group you just created.
Now that the group is defined, go back into the topology section and change the VPN Domain to "manually defined" and select the network group you just created, save everything and push the policy.
You're seeing the anti-spoof drop because FW-1 does not know that the traffic coming from the internal network is part of the internal network. The above steps should fix it.
Thank you very much for giving attention to my problem. you are right I made the very same topology misconfiguration mistake that most check point administrator made. Thank you to all off you who replied and gave attention.
Hey, great! For any future readers, although my explanation was correct for the FW-1 VPN Domain, it was incorrect for this problem. The fix is similar in that you have to create the same group, but you set it on the firewall object, topology section, for the internal interface.
Actually, if you're using Check Point remote access or site-to-site VPNs, you have to set them both. :-)