topic Re: Site-Site Tunnel with NAT to a second Tunnel in Firewall and Security Management

Site-Site Tunnel with NAT to a second Tunnel

DFR_ — Tue, 13 Aug 2019 13:48:48 GMT

Hello all,

I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.
I'm used to work with palo and asa devices, so I might be missing something here.

This is the basic layout:

Due to whatever policies, 10.13.1.x can't be connected directly to 1.1.1.1, so the solution was to create the tunnel between devices 1 and 2.

Device 1 is a Fortinet that I have no control over.
The tunnel between device 2 and 10.13.1.x already exists and is ok.

I have assigned 172.31.221.201 to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from 10.13.1.11 to 172.31.201.82

Phase 1 is ok, but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?

Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?

Thank you for any help you provide.

Re: Site-Site Tunnel with NAT to a second Tunnel

PhoneBoy — Thu, 27 Jun 2019 02:33:42 GMT

What is the encryption domain defined as on your Gateway?
It should include ALL the subnets that need to communicate with the remote peer.

Re: Site-Site Tunnel with NAT to a second Tunnel

DFR_ — Tue, 13 Aug 2019 13:47:06 GMT

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.