topic Re: VPN Interoperable object with same IP in Firewall and Security Management

VPN Interoperable object with same IP

carl_t — Fri, 14 Oct 2022 08:55:34 GMT

Hi All

A quick question, is it possible to have a interoperable object using the same IP? We want to build VPNs to a third party firewall but some different policies / vpn domains behind the same object need to be used.

We have tried this and it seems to have caused some issues, even though the different object is used in different communities.

Many thanks

Re: VPN Interoperable object with same IP

G_W_Albrecht — Fri, 14 Oct 2022 08:59:25 GMT

Using the same IP as what else is using ? How to do routing in this situation ?

Re: VPN Interoperable object with same IP

carl_t — Fri, 14 Oct 2022 09:16:12 GMT

The interoperable object is a Cisco ASA FW, we build VPNs to it from our Checkpoint Firewalls.

I have created another object using a different name but the same IP, this is then used in different vpn communities

Re: VPN Interoperable object with same IP

G_W_Albrecht — Fri, 14 Oct 2022 09:36:19 GMT

So how do you expect VPN routing will work in this situation with two identical IPs ?

Re: VPN Interoperable object with same IP

carl_t — Fri, 14 Oct 2022 09:51:01 GMT

its from 2 different Checkpoints using 2 different vpn communities and 2 different "named" objects. every other firewall vendor has no issue doing this.

Re: VPN Interoperable object with same IP

G_W_Albrecht — Fri, 14 Oct 2022 10:10:07 GMT

Can you provide a topology map? These are 2 different CP GWs and the double IP is not present on one GW, but each has the same IP ?

Re: VPN Interoperable object with same IP

carl_t — Fri, 14 Oct 2022 10:49:15 GMT

Hi, see attached diagram, I have made up the IP's for ref only

Re: VPN Interoperable object with same IP

G_W_Albrecht — Fri, 14 Oct 2022 11:25:28 GMT

And both CP GWs are managed by the same SMS ? Better open a SR# with CP TAC to get to a supported configuration !

Re: VPN Interoperable object with same IP

PhoneBoy — Fri, 14 Oct 2022 12:55:22 GMT

I recommend checking with TAC if this is a supported configuration (having two different VPN gateways with same IP).
Pretty sure this won’t work/be supported, though.

Re: VPN Interoperable object with same IP

the_rock — Fri, 14 Oct 2022 13:00:32 GMT

I personally had never seen this done with any vendor before...would love an example of it working.

Re: VPN Interoperable object with same IP

carl_t — Fri, 14 Oct 2022 13:08:40 GMT

If its not supported, that means every Checkpoint Gateway is forced to use the same parameters and vpn domains as all the others, this is not flexible at all if this is the case.

With ASA and other vendors you can choose whatever subnets you like to different firewalls using different polices etc

Re: VPN Interoperable object with same IP

the_rock — Fri, 14 Oct 2022 13:12:26 GMT

With CP, you can always choose different VPN domain for different VPN communities, thats been supported for some time now. Now, obviously, you create separate rules (usually within same policy package) to reflect access needed for each VPN community.

Are we missing something here?

Re: VPN Interoperable object with same IP

RS_Daniel — Fri, 14 Oct 2022 13:13:43 GMT

Hello,

Always that i have faced a situation with duplicated IP addresses TAC told me to avoid that. Many features look for the specific object into the data base using the IP address and it can end using the wrong object.

I think it is possible to get this working, but never had this scenario. I would try adding both remote vpn domains in one interoperable object, lets's say remote vpn domain A and remote vpn domain B. And make sure tunnel sharing is set to "per subnet pair".

Just make sure that on the first checkpoint gateway, the generated traffic is always with destination remote vpn domain A, so in phase two, checkpoint gateway will send the ID's --> "Your_Network - remote vpn domain A", and only that, it will not include remote network B, the ID's are based on the generated traffic. And the same on second checkpoint gateway, only traffic with destination remote vpn domain B should go through this gateway.

Of course you have to manage your internal routing correctly for both remote vpn domains, if these are adjacent networks maybe you will have to edit user.def file to avoid supernetting, take care of NAT, etc, etc. Again it is my personal opinion and never configured something like your scenario. HTH.

Regards

Re: VPN Interoperable object with same IP

RS_Daniel — Fri, 14 Oct 2022 13:22:31 GMT

Forgot the other option that would avoid vpn domain's issues, you can use route based vpn's!!! and keep yourself on a supported configuration as G_W_Albrecht said in case you need TAC assistance.