topic Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA in Firewall and Security Management

Replacing a Cisco 2811 router duty with a Check Point standalone HA

Cesar_Caballero — Thu, 19 Jul 2018 14:50:46 GMT

Hello to everyone,

I'm currently facing a scenario where we have two Check Point 4200s working in standalone HA and taking care of my internet connection and a simple VPN. Next to it, there is a Cisco 2811 router whose only duty is to keep an IPsec VPN established with another Cisco that we don't manage. I've been asked to migrate that IPsec VPN from the Cisco to the Check Point, and I don't know how to do that. Can anybody help me?

The IPsec VPN conditions are:

- The IPsec VPN must be established between the Check Point standalone in HA with a cluster IP 10.15.128.130/30 and a 3rd party appliance (Cisco) that we don't manage with an IP 10.15.128.2/30. So the Cluster IP address is going to be in a diferent subnet than it's members.

- Trafic within the IPsec VPN must be routed by NATing all IPs with a loopback with an IP 10.2.92.2 and another loopback with an IP 10.1.92.2.

- I've uploaded a modified config of the Cisco 2811 to protect privacy. It is attached to this post.

Any help would be greatly apreciated.

Regards,

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

PhoneBoy — Thu, 19 Jul 2018 15:24:12 GMT

I would start by making sure you have all the necessary information to create a VPN.

Here's a nice worksheet for that: what information do we need from the remote site customer when creating site to site VPN?

Then you can follow the steps in the documentation for creating a VPN with a third-party site: Site to Site VPN R80.10 Administration Guide

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

Cesar_Caballero — Thu, 19 Jul 2018 15:45:28 GMT

Thanks Dameon Welch Abernathy‌ for the quick response. Yes, we allready have all the necessary information to create the VPN. Regarding the documentation for creating a VPN, we're running R77.30, and yes I'd had access to that documentation as well. My main question is how do I create the policy after configuring all the VPN parameters and how do I get the traffic to be NATed trough the loopback?

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

PhoneBoy — Thu, 19 Jul 2018 16:21:36 GMT

Something like the following for the VPN rules:

For NAT, something like:

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

Cesar_Caballero — Thu, 19 Jul 2018 17:48:45 GMT

Thanks once again for the info! And that loopback is configured as what kind of object in the SmartDashboard? Do I need a loopback interface in the GAiA firewall as well?

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

PhoneBoy — Thu, 19 Jul 2018 18:07:18 GMT

You create a regular host object for it.

You will need to right-click on it in the NAT rulebase to change the NAT mode to Hide (versus Static).

If you are using VPN tunnel interfaces, you configure the IP on the tunnel interface.

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

Cesar_Caballero — Thu, 19 Jul 2018 18:43:57 GMT

All the info are great! Just another question: If I'm not using VTI, I just set up a regular loopback with the 10.2.92.2/30 address, right? And that with the NAT mode set to hide should work, right?

Re: Replacing a Cisco 2811 router duty with a Check Point standalone HA

PhoneBoy — Thu, 19 Jul 2018 19:18:31 GMT

You don't need to set up a loopback in this case.