topic Access to different Site-to Site VPN domains in Firewall and Security Management

Access to different Site-to Site VPN domains

Anu_Cherian — Mon, 24 May 2021 01:55:52 GMT

Hi All,

I would need some help with the below requirement with site- to- site VPN

Gateway : 3200 series

Version : Gaia R80.40

Scenario

we have three sites, Site A , Site B and Site C

Site A

IP : 1.1.1.1

Network : 192.168.10.0/24 , 172.31.33.0/24

Site to site VPN with Site B and Site C ( S2S access is working fine)

Site B

IP 2.2.2.2

Network : 192.168.30.0/24

S2S with Site A and HQ

Site C

IP : 3.3.3.3

Network : 10.0.0.0/8

Only Site A have access to S2S access. Note : We cannot make any changes to Site C

Requirement

We need Site B to have access to Site C, through Site A. We need to hide our Site B IP network address, as it is not allowed through Site A <-> Site C tunnel

Please advice

Re: Access to different Site-to Site VPN domains

PhoneBoy — Mon, 24 May 2021 03:24:35 GMT

Site B would need to extend its encryption domain to include Site C's address space.
Also, you'd need appropriate NAT rules for the traffic coming from Site B to translate it to something in Site A's address space (most likely HIDE NAT or possibly IP Pool NAT).

Re: Access to different Site-to Site VPN domains

Anu_Cherian — Mon, 24 May 2021 19:33:34 GMT

@PhoneBoy pardon my ignorance. could you please help to provide some example, on how to set the NAT rules. I tried to setup NAT rules, but didn't see to work. really appreciate your help

Re: Access to different Site-to Site VPN domains

PhoneBoy — Mon, 24 May 2021 20:43:44 GMT

Here’s an example with IP Pool NAT: https://community.checkpoint.com/t5/Security-Gateways/NAT-Source-Port-manipulation/m-p/90783