https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235347#M45618 <P>K, thats more clear now. Good question actually...so you dont need S2S between outer and inner fw, just to forward it to inner?</P> <P>Andy</P> Wed, 11 Dec 2024 14:15:37 GMT the_rock 2024-12-11T14:15:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235304#M45611 <P>Hi I need to :</P><P>&nbsp;</P><P>1) set up a VPN from AWS to a R81.20</P><P>the question is :</P><P>can i do a nat of a public ip address to the inner firewalls private ip address.</P><P>Using nat t will this allow me to terminate the VPN on the inner firewall &amp; tunnel traffic using ipsec directly to inner ?</P><P>The network between the inner &amp; outer are the same /24 network.</P><P>I will use sk100726</P><P>The documentation suggests this is achievable, has anyone done this&nbsp; ?</P><P>This will allow a significant simplification of routing changes on the internal lan that will be required.</P><P>any help is appreciated</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 11 Dec 2024 11:00:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235304#M45611 TOM_MORAN 2024-12-11T11:00:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235333#M45613 <P>Im fairly sure it is possible, you would just need to do static nat in this case and make sure nat is NOT disabled inside vpn community.</P> <P>Hey, do you have simple network diagram you can attach? I think that would help us as well.</P> <P>Andy</P> Wed, 11 Dec 2024 13:31:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235333#M45613 the_rock 2024-12-11T13:31:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235339#M45614 <P>apologizes i thought i had attached the diagram</P> Wed, 11 Dec 2024 13:50:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235339#M45614 TOM_MORAN 2024-12-11T13:50:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235341#M45615 <P>Got it, yes, np man, we see it now! So essentially, just to make sure, S2S is between AWS and outer CP fw, but connection has to flow all the way to the server itself, which is behind INNER cp fw?</P> <P>Andy</P> Wed, 11 Dec 2024 13:56:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235341#M45615 the_rock 2024-12-11T13:56:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235346#M45617 <P>Hi Andy many thanks.</P><P>Normally the VPN would terminate on the physical ip of the outer firewall.</P><P>But what i want to do is :</P><P>do a static nat public public ip on the outer fw to the inner fw &amp; use that ip as the termination ip site.</P><P>If i do that can we tunnel traffic using nat t &amp; ipsec to the inner fw</P><P>we don't want to route traffic on the outer fw</P> Wed, 11 Dec 2024 14:10:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235346#M45617 TOM_MORAN 2024-12-11T14:10:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235347#M45618 <P>K, thats more clear now. Good question actually...so you dont need S2S between outer and inner fw, just to forward it to inner?</P> <P>Andy</P> Wed, 11 Dec 2024 14:15:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235347#M45618 the_rock 2024-12-11T14:15:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235358#M45621 <P>correct connect/forward to inner</P> Wed, 11 Dec 2024 15:11:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235358#M45621 TOM_MORAN 2024-12-11T15:11:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235359#M45622 <P>I would say as long as rules allow it and routing is there, no reason not to work, as technically, inner firewall would simply "serve" as passthrough (if you will) to reach the final destination.</P> <P>Andy</P> Wed, 11 Dec 2024 15:12:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235359#M45622 the_rock 2024-12-11T15:12:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235390#M45628 <P><STRONG>This answer is provided by <A href="https://www.checkpoint.com/ai/copilot/" target="_blank">Infinity AI Copilot</A> and should be confirmed by reviewing official documentation in <A href="https://support.checkpoint.com" target="blank">Support Center</A>.</STRONG></P> <P>Yes, you can set up a VPN from AWS to an R81.20 firewall without a public IP by using NAT to map a public IP to the inner firewall's private IP. Using NAT-T (NAT Traversal) will allow you to terminate the VPN on the inner firewall and tunnel traffic using IPsec directly to the inner firewall. This setup is supported and can simplify routing changes on your internal LAN.</P> <P>Here are some key steps to consider:</P> <OL> <LI><P><STRONG>NAT Configuration</STRONG>: Ensure that the public IP is properly NATed to the private IP of the inner firewall. This will allow the VPN traffic to reach the inner firewall.</P> </LI> <LI><P><STRONG>NAT-T Configuration</STRONG>: Enable NAT Traversal on your VPN settings to handle the NATed traffic correctly.</P> </LI> <LI><P><STRONG>VPN Configuration</STRONG>: Follow the guidelines in <A href="https://support.checkpoint.com/results/sk/sk100726" target="_blank">sk100726</A> for configuring IPsec VPN between your Check Point Security Gateway and AWS VPC using static routes and Numbered VTI.</P> </LI> <LI><P><STRONG>Network Configuration</STRONG>: Since the network between the inner and outer firewalls is the same /24 network, ensure that routing and firewall rules are correctly set to allow traffic to flow between these networks.</P> </LI> <LI><P><STRONG>Testing and Validation</STRONG>: After configuration, test the VPN connection to ensure that traffic is correctly routed and encrypted between AWS and your internal network.</P> </LI> </OL> <P>This approach is feasible and has been documented in Check Point's resources, allowing for a streamlined setup. If you encounter any issues, consider revisiting the configuration steps or consulting with Check Point support for further assistance.</P> Wed, 11 Dec 2024 20:51:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-VPN-terminate-on-firewall-with-no-public-ip-address/m-p/235390#M45628 CheckMatesAI 2024-12-11T20:51:38Z