topic Re: NAT through VPN in General Topics

NAT through VPN

JonWilliams — Thu, 13 Jun 2019 11:23:06 GMT

Hi, i am trying to setup a vpn to a asa and we are natting on our side.

On their enc domain (crypto acl) they only have our nat address as their destination.

Am i right in thinking that on our side i have to have the real and nat adress as the source on our side (Enc domain) ? If i only have the nat address, i have to add a normal acl to allow the real address through to talk to the destination and it will always use that rather than the enc domain rule ?

Sorry, my Checkpoint exp is limited. Any help gratefully received.

Re: NAT through VPN

PhoneBoy — Sat, 15 Jun 2019 04:49:36 GMT

It would help if you could describe the actual encryption domains with IPs.
They don't have to be the real IPs but it would help to see how the IPs relate to each other.

Re: NAT through VPN

JonWilliams — Mon, 17 Jun 2019 07:06:28 GMT

Hi,

In this case we have to target a public ip on their side. My address is local (172) and then we nat to a spare range on our public ip range. My point is that on their asa the cryptomap acl takes care of the acl but on Checkpoint where do i put the access rule to allow my private ip to talk to there public ip. If it is not in our access list entry on our enc domain, wont it take that rule over the enc acl and not use that ? My Checkpoint exp is limited, sorry. Does it not matter where i put the private ip to their dest acl entry ?

Rgds,

Re: NAT through VPN

JonWilliams — Mon, 17 Jun 2019 07:09:17 GMT

When i add a the real ip on the acl to allow my source to talk to their public ip, it uses that rule and does not use the enc domain rule where the nat source is.

Rgds,

Re: NAT through VPN

JonWilliams — Mon, 17 Jun 2019 08:46:42 GMT

my enc domain rule is

source 87.x.x.x /255 talking to a public ip (third party) host /32

Nat rule is bi directional nat

outbound - 172.x.x..x/32 - public ip nat source original - dest nat to 87.x.x.x.x/32

inbound - public ip (third party) dest 87.x.x.x/32 dest - denat to 172.x.x.x./32

Natting works ok

my issue is that as our enc domain acl does not contain the real ip i have to add a acl to he gateway which is

source - 172.x.x.x/32 to public ip (third party) host /32

So when i initiate the traffic from my sourc ip, it uses the acl rule and not the rule on the enc domain

We have to target a public ip on their side.

Rgds,