CP1570 VPN S2S to Palo Alto - NAT translation

luk89as — Wed, 06 Dec 2023 16:45:57 GMT

Hello,

I have an S2S CP1570 and a Palo Alto connected via VPN.

The server behind Palo Alto is assigned the IP 172.28.148.1

The server (IP 172.28.148.1) behind Palo Alto will only respond to a PING query as traffic from the CP1570 side will come from the 172.29.148.0/24 network passing through the VPN tunnel.

How do I do a 1:1 NAT translation so that when I send a PING from the 192.168.88.0/24 network it will be sent through the VPN tunnel as an IP from the 172.29.148.0/24 network.

If this is not possible I will have to assign a static address from the 172.29.148.0/24 network to the computer's network card

I am attaching an image with a block diagram.

CP1570 Firmware R81.10.08 (996001683)

Re: CP1570 VPN S2S to Palo Alto - NAT translation

JoSec — Wed, 06 Dec 2023 19:49:59 GMT

I am not familiar with the model CP1570, but normally if using a domain/policy based VPN, you need to add the host/networks/ranges, etc.,. that you would want to participate in the VPN to the VPN domain object on the Checkpoint side and have the corresponding rule. No need to NAT unless there is a requirement to do so such as communicating to a public IP over a VPN or a conflict for overlapping IP Network. Also on the Palo side you will have to allow 192.168.88.0/24 or a single IP/32 if that is all you need from that subnet, inbound and make any of other Palo config changes to allow the traffic. Now if you need to NAT for some other reason, you can NAT but will still have the network of individual IP from192.168.88.0/24 in the rule and the VPN domain object on the Checkpoint side.

topic CP1570 VPN S2S to Palo Alto - NAT translation in Spark Firewall (SMB)

CP1570 VPN S2S to Palo Alto - NAT translation

Re: CP1570 VPN S2S to Palo Alto - NAT translation