cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
DFR_
Ivory

Site-Site Tunnel with NAT to a second Tunnel

Jump to solution

Hello all,

I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.
I'm used to work with palo and asa devices, so I might be missing something here.

This is the basic layout:

Untitled.png

 

Due to whatever policies, 10.13.1.x can't be connected directly to 1.1.1.1, so the solution was to create the tunnel between devices 1 and 2.

Device 1 is a Fortinet that I have no control over.
The tunnel between device 2 and 10.13.1.x already exists and is ok.

I have assigned 172.31.221.201 to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from 10.13.1.11 to 172.31.201.82

Phase 1 is ok,  but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?

Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?

Thank you for any help you provide.

0 Kudos
1 Solution

Accepted Solutions
DFR_
Ivory

Re: Site-Site Tunnel with NAT to a second Tunnel

Jump to solution

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.

0 Kudos
2 Replies
Admin
Admin

Re: Site-Site Tunnel with NAT to a second Tunnel

Jump to solution
What is the encryption domain defined as on your Gateway?
It should include ALL the subnets that need to communicate with the remote peer.
0 Kudos
DFR_
Ivory

Re: Site-Site Tunnel with NAT to a second Tunnel

Jump to solution

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.

0 Kudos