The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: VPN Between FireWall-1 4.1 and Cisco

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


On the Cisco Router:

    !***Setup the ISAKMP policy using triple DES and a preshared key
    !
    crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
    crypto isakmp key sharedkey address (firewall external IP here)
    !
    !
    !***Define authentication and encryption settings
    !
    crypto ipsec transform-set ciscofw1 esp-3des esp-md5-hmac
    !
    !***The actual map
    !
     crypto map fw1 10 ipsec-isakmp
     set peer (firewall external IP here)
     set transform-set ciscofw1
    !
    !***When something matches access-list 100, encyrpt it
    !
     match address 100
    !
    !***Assign the map to the external interface
    !
    interface Ethernet0/0
     ip address 192.168.202.254 255.255.255.0
     crypto map fw1
    ip nat outside
    !
    !***We used NAT on our internal interface
    !
    interface Ethernet0/1
     description Internal LAN Interface
     ip address 192.168.201.254 255.255.255.0
     no ip directed-broadcast
     ip nat inside
    !
    ip nat inside source list 101 interface Ethernet0/0 overload
    !
    !*** Encrypt anything going to the 192.168.203 network
    !
    access-list 100 permit ip host 192.168.202.254 192.168.203.0 0.0.0.255
    access-list 101 permit ip 192.168.201.0 0.0.0.255 any

On the Check Point Firewall:

Add an object for the router and set up it's VPN encryption properties for IKE. Edit the IKE properties to match the router's crypto settings. Use preshared secret for the authentication method and set the secret key.

We added two rules, one for traffic coming from the Cisco and one for traffic going to the Cisco. They allow all traffic and the action is set to encrypt. Match the encrypt action's properties with the crypto settings on the router.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.