topic Re: Nat through site to site vpn in General Topics

Nat through site to site vpn

JonWilliams — Wed, 12 Jun 2019 10:26:35 GMT

Hi,

I am trying to setup a nat through a site to site vpn.

we have a weird setup where our internal source is a public ip /32 talking to a dest public ip /32. When i do a no nat rule it works ok. Issue being that our internal ip is a public ip address in italy so they cannot route to it.

i then nat our internal to a spare public ip off our cp range and the tunnel breaks.

no nat rule is

source ip - dest ip - source nat to public spare ip

dest ip - source ip (Public) - denat dest to real ip

My encruption domain is source (real and public) des(dest public)

Any help, greatly received,, thanks

Re: Nat through site to site vpn

JonWilliams — Wed, 12 Jun 2019 14:30:23 GMT

One other quick question. When setting up the encryption domain and using NAT, does the real ip and NAT ip have to to be in the source on the enc domain if traffic is initiating from our side ?

Rgds,

Re: Nat through site to site vpn

PhoneBoy — Sun, 16 Jun 2019 00:38:30 GMT

You've just described why you shouldn't use public IPs in your internal network unless you own them. 😁
To see what the actual issue is, you probably need to do some debugging.
Start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34467

The local encryption domain should contain anything that might initiate a connection, which I believe includes NAT addresses.
The remote definition for your encryption domain should only include IPs it will see.

Re: Nat through site to site vpn

Nüüül — Sun, 16 Jun 2019 16:28:09 GMT

on both ends the devices only need the (NAT) Adresses, that have to be talked about in IPSEC VPN. The real IPs might be needed on the gateways for Access Lists.

So, when you change the NAT IP, the traffic is not matching the encryption domain anymore and is either routed somewhere else or lost/discarded.

as Phoneboy said. I´d avoid using public IPs, as long they are not reserved for this and i or the customer owns them. But normally that should work..

You will need some further troubleshooting/debugging, i guess. use this to get started: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI4326

and than have a look at the logs and .elg files

Re: Nat through site to site vpn

JonWilliams — Mon, 17 Jun 2019 07:08:31 GMT

Hi,

In this case we have to target a public ip on their side. My address is local (172) and then we nat to a spare range on our public ip range. My point is that on their asa the cryptomap acl takes care of the acl but on Checkpoint where do i put the access rule to allow my private ip to talk to there public ip. If it is not in our access list entry on our enc domain, wont it take that rule over the enc acl and not use that ? My Checkpoint exp is limited, sorry. Does it not matter where i put the private ip to their dest acl entry ? When i add a the real ip on the acl to allow my source to talk to their public ip, it uses that rule and does not use the enc domain rule where the nat source is.

Rgds,

Re: Nat through site to site vpn

PhoneBoy — Mon, 17 Jun 2019 18:06:17 GMT

The encryption domain definition for the remote site would have to include any IP you are initiating a connection to.
In this case, it would need to include the public address(es).
This is defined on the gateway object for the remote site.

Re: Nat through site to site vpn

JonWilliams — Tue, 18 Jun 2019 07:16:01 GMT

Thanks, im guessing the enc domain would also have to include our internal source ip as well ?

Re: Nat through site to site vpn

JonWilliams — Wed, 19 Jun 2019 15:32:11 GMT

hi PhoneBoy,

Can you confirm the answer to my last question please.

Rgds,

Re: Nat through site to site vpn

PhoneBoy — Wed, 19 Jun 2019 16:27:32 GMT

Yes it would.