ASAs mungle "non-Cisco" VoIP so horrible. They have their pluses but NAT isn't one of them. I have seen them break their own Cisco Cube deployments as well. Overall they have been more of a headache then a lifesaver/help. Cisco does things really well when an entire infrastructure is Cisco down. They just don't play well with others
It is funny you say that since I had a tough time with IPSEC tunnels with cisco/checkpoint and cisco/watchguard. The phases were identical yet I still had to troubleshoot for ages. I will eventually have to set up the same with some SSG's but hopefully will have a better experience.
The last time I messed with Checkpoint, I learned with R60-R70 on servers. I never messed with their appliances. I think Sil is right, there are a lot of VMware appliance to learn from as far as firewalls too.