SecuRemote vpn connection

Nat stetements

ip nat inside source list 99 interface Ethernet1 overload
ip nat inside source static tcp xxx.xxx.xxx.xxx 500 interface Ethernet1 500
ip nat inside source static esp xxx.xxx.xxx.xxx interface Ethernet1
ip nat inside source static udp xxx.xxx.xxx.xxx 2746 interface Ethernet1 2746
ip nat inside source static tcp xxx.xxx.xxx.xxx 264 interface Ethernet1 264
ip nat inside source static udp xxx.xxx.xxx.xxx 500 interface Ethernet1 500

xxx.xxx.xxx.xxx - private ip address of Checkpoint Firewall interface leading to External network (internet).
Ethernet1 - Cisco router interface with public ip address

My SecuRemote client is R55 build 082
I have tried with Force UDP/support IKE over TCP settings and also without them.

Concerning Your last post I have tried what You said:

A. I've set it
B. On my gateway I have interface xxx.xxx.xxx.xxx (from cisco configuratin) with external topology
I've also added an external interface with ip address of cisco public interface ethernet1 (see above cisco conf.) - but I'm not sure is this what You mean ?

sorry I forgot to add in last post that I have still no success.

Hello again

I have made some additional tests and it seems that vpn connection is working !!!

The most important thing was support for IKE over TCP which was not checked in Global properties of the Smart Console.

There is one small obstace on the way:

it seems that some gateways have overlapping encryption domains. this prevent SecureRemote Client to download topology.

But it's different story and I think I will manage it by myself ...

Thanks a lot for your help.

Glad I could help. Even though the securemote clients are unable to download the new topology due to the overlapping encryption domains, they should still be able to connect. If you're having problems narrowing down where your overlap is, try this command on the enforcement module:

[code:1]vpn overlap_encdom[/code:1] It should tell you what objects are used in more than 1 encryption domain.