cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Site to Site VPN configuration suggestion

Jump to solution

Hello everybody,

We have a customer with topology like this:

scheme.png

They have established VPN tunnels between Cisco ASA (will be replaced with FirePower as on image above) and remote peers (different devices). Current configuration is such that ASA has all private IP addresses and NAT to public IP address used for VPN peering is being done on CheckPoint GW.

They reported few issues after upgrade from version 77.30 to version 80.10. Also, I have read that it's not best design decision to have NAT configured like this in a S2S VPN configuration.

What are your thoughts on this? Do you have any suggestions on how it should be done "properly"?

Thank you all in advanced,

Ivan

 

0 Kudos
1 Solution

Accepted Solutions

Re: Site to Site VPN configuration suggestion

Jump to solution

As long as the static NAT address for the Cisco implemented by the Check Point is a unique routable address (i.e. not the firewall's external NIC address with attempted port forwarding for ESP/50 & IKE/500) it should work fine.

However due to intervening NAT between the Cisco and the Remote Peer, NAT Traversal (NAT-T) will be active on UDP port 4500.  NAT-T is essentially a double encapsulation to keep the intervening NAT operation from violating the ESP packet's digital signature.  This increases overall packet size thus reducing the amount of tunneled data that can be carried per packet, and causes some additional processing overhead as well.  Intervening NAT should be detected by the peers during IKE Phase 1 (packets 3 & 4) and NAT-T should start automatically, just make sure both sides have support for NAT-T enabled.

This kind of setup can also cause issues if the Cisco tries to use its externally-facing IP address as the IKE Peer ID, which then does not match the actual source IP addresses appearing on its IKE packets due to the NAT.  This can easily be rectified by adjusting the IKE peer settings.

What I would suggest is giving the Cisco its own interface on the Internet "dirty segment" with its own directly-assigned Internet-routable IP address.  The backend interface would then be attached as a DMZ on the Check Point.  This setup avoids the two issues listed above, and as an added bonus the Check Point can inspect traffic in the clear before it is encrypted and after it is decrypted by the Cisco.  There would of course be a performance impact on the Check Point but you would gain some valuable traffic visibility.

Ideally you could just put the Cisco "side by side" with the Check Point with its own direct Internet-routable interface and the inside interface directly on the inside, but you will have to watch out for asymmetric routing conditions on traffic trying to head to the Internet and/or VPN tunnel.  Some NAT or Policy-Based Routing may be needed to avoid this.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

View solution in original post

7 Replies
Admin
Admin

Re: Site to Site VPN configuration suggestion

Jump to solution
What kind of NAT is being done on the Check Point for the VPN gateway, static or NAT?
What specific configuration on the Firepower has been done to account for the NAT?
0 Kudos

Re: Site to Site VPN configuration suggestion

Jump to solution

There is static NAT on CheckPoint, and identity NAT on ASA (current device in network - will be replaced with FirePower).

0 Kudos
Admin
Admin

Re: Site to Site VPN configuration suggestion

Jump to solution
What logs do you see on the Check Point related to the IPSEC tunnel?
0 Kudos

Re: Site to Site VPN configuration suggestion

Jump to solution

I can post you those later, but could you give me your opinion regarding VPN design - specifically, VPN peer behind NAT CheckPoint? Pros and cons.

0 Kudos

Re: Site to Site VPN configuration suggestion

Jump to solution

Any comments?

0 Kudos

Re: Site to Site VPN configuration suggestion

Jump to solution

As long as the static NAT address for the Cisco implemented by the Check Point is a unique routable address (i.e. not the firewall's external NIC address with attempted port forwarding for ESP/50 & IKE/500) it should work fine.

However due to intervening NAT between the Cisco and the Remote Peer, NAT Traversal (NAT-T) will be active on UDP port 4500.  NAT-T is essentially a double encapsulation to keep the intervening NAT operation from violating the ESP packet's digital signature.  This increases overall packet size thus reducing the amount of tunneled data that can be carried per packet, and causes some additional processing overhead as well.  Intervening NAT should be detected by the peers during IKE Phase 1 (packets 3 & 4) and NAT-T should start automatically, just make sure both sides have support for NAT-T enabled.

This kind of setup can also cause issues if the Cisco tries to use its externally-facing IP address as the IKE Peer ID, which then does not match the actual source IP addresses appearing on its IKE packets due to the NAT.  This can easily be rectified by adjusting the IKE peer settings.

What I would suggest is giving the Cisco its own interface on the Internet "dirty segment" with its own directly-assigned Internet-routable IP address.  The backend interface would then be attached as a DMZ on the Check Point.  This setup avoids the two issues listed above, and as an added bonus the Check Point can inspect traffic in the clear before it is encrypted and after it is decrypted by the Cisco.  There would of course be a performance impact on the Check Point but you would gain some valuable traffic visibility.

Ideally you could just put the Cisco "side by side" with the Check Point with its own direct Internet-routable interface and the inside interface directly on the inside, but you will have to watch out for asymmetric routing conditions on traffic trying to head to the Internet and/or VPN tunnel.  Some NAT or Policy-Based Routing may be needed to avoid this.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

View solution in original post

Re: Site to Site VPN configuration suggestion

Jump to solution

Timothy, thank you very much. I appreciate this.

0 Kudos