This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
Sunday
Jump to solution

Cisco Router NAT translations

Hi There,

We are in the process of replacing the Cisco router (R2) with a Check Point firewall and have attached the topology.

Since Smart move supports only ASA/FTD, I'd like to understand the VPN domain/NAT and need some help please😊

Below are the NAT translations on R2.

R2# ip nat inside source static 10.219.24.3 192.168.85.25

R2# ip nat outside source static 192.168.88.4 10.14.11.6

!!

R2# ip route 10.14.11.6 255.255.255.255 192.168.1.1

!!

ip access-list extended VPN_ACL
permit ip host 192.168.85.25 host 192.168.88.4

1. How should I configure the equivalent NAT in checkpoint?

Static NAT:

Each rule for Source

Original Source: 10.219.24.3
Original Destination: Any
Original Services: Any
Translated Source: 192.168.85.25
Translated Destination: original
Translated Services: original

!!

Each rule for Destination

Original Source: Any
Original Destination: 192.168.88.4
Original Services: Any
Translated Source: original
Translated Destination: 10.14.11.6
Translated Services: original

OR

Manual NAT:-

Original Source: 10.219.24.3
Original Destination: 192.168.88.4 
Original Services: Any
Translated Source: 192.168.85.25
Translated Destination: 10.14.11.6
Translated Services: original

2. I believe the below one should be the encryption domain in CP. Is that correct?

Local Encryption Domain: 192.168.85.25/32
Remote Encryption Domain: 192.168.88.4/32

 

Preview file
51 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
Sunday
In response to SriNarasimha005
Jump to solution

1) You just create manual nat rule in nat policy -> exactly how you described it

2) yes, you add natted IPs as well, because technically, it would be part of vpn domain. I dont see an issue with mismatch, since those would be part of the vpn tunnel as well.

Best,
Andy

View solution in original post

0 Kudos
12 Replies
the_rock
MVP Diamond
MVP Diamond
Sunday
Jump to solution

Thats what it would appear to be, yes. if natting is involved, those IPs would also need to be in vpn domain as well.

Best,
Andy
0 Kudos
SriNarasimha005
Collaborator
Sunday
In response to the_rock
Jump to solution

Hi @the_rock 

Thanks for your reply.

1. Can you please confirm on the NAT statements on how it should be? Is it a Static NAT for each and every statement or can it be combined into a Manual NAT?

2. I believe the Pre-NAT IP should be in the VPN domain. If I add NAT IP's also in the VPN domain, will it cause phase-2 to drop due to mismatch in the "Interesting ACL" between Cisco Router and CP?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Sunday
In response to SriNarasimha005
Jump to solution

1) You just create manual nat rule in nat policy -> exactly how you described it

2) yes, you add natted IPs as well, because technically, it would be part of vpn domain. I dont see an issue with mismatch, since those would be part of the vpn tunnel as well.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Sunday
In response to SriNarasimha005
Jump to solution

I assume this is domain based tunnel?

Best,
Andy
0 Kudos
SriNarasimha005
Collaborator
Monday
In response to the_rock
Jump to solution

Hi @the_rock 

Yes, this is a domain-based tunnel as the peer device- Cisco router uses ACL under crypto map.

I'd like to get this clarified on the NAT again 😊

The below statements are configured on the R2 router. Since these are Interface based in Cisco routers, can you please let me know if the Manual NAT to be configured uni-directionally or it needs to be combined into a single NAT statement?

R2# ip nat inside source static 10.219.24.3 192.168.85.25

R2# ip nat outside source static 192.168.88.4 10.14.11.6

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Monday
In response to SriNarasimha005
Jump to solution

Just create 2 separate nat rules.

Best,
Andy
Vincent_Bacher
MVP Silver
MVP Silver
Monday
In response to SriNarasimha005
Jump to solution

On the Check Point side you need two NAT rules (one Source NAT, one Destination NAT) plus the corresponding Access Control (firewall) rules to allow the traffic.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
SriNarasimha005
Collaborator
Monday
In response to Vincent_Bacher
Jump to solution

Hi @Vincent_Bacher and @the_rock 

Thanks for your reply. Final one.

For the NAT'd IP, there is a route configured on the Cisco router towards the next-hop i.e R1. It automatically generates a host route for the translated address in the routing table, ensuring correct return routing from the inside network. 

Since CP doesn't route back based on the source NAT IP, I believe this can be ignored. Is my understanding correct?

R2# ip route 10.14.11.6 255.255.255.255 <R1 Next-Hop>

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Monday
In response to SriNarasimha005
Jump to solution

Thats right.

Best,
Andy
the_rock
MVP Diamond
MVP Diamond
Monday
In response to the_rock
Jump to solution

@SriNarasimha005 

Ping me if u need remote, happy to go over things.

Best,
Andy
SriNarasimha005
Collaborator
Monday
In response to the_rock
Jump to solution

Sure, will do. Thanks a lot mate😊🙏

the_rock
MVP Diamond
MVP Diamond
Monday
In response to SriNarasimha005
Jump to solution

Im always happy to try and help, no issue. I wish I were a Superman to fix anything and everything, but not possible lol

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events