cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

NAT through VPN

Hi, i am trying to setup a vpn to a asa and we are natting on our side.

 

On their enc domain (crypto acl) they only have our nat address as their destination.

Am i right in thinking that on our side i have to have the real and nat adress as the source on our side (Enc domain) ? If i only have the nat address, i have to add a normal acl to allow the real address through to talk to the destination and it will always use that rather than the enc domain rule ?

 

 

Sorry, my Checkpoint exp is limited. Any help gratefully received.

0 Kudos
4 Replies
Highlighted
Admin
Admin

Re: NAT through VPN

It would help if you could describe the actual encryption domains with IPs.
They don't have to be the real IPs but it would help to see how the IPs relate to each other.
0 Kudos
Highlighted

Re: NAT through VPN

When i add a the real ip on the acl to allow my source to talk to their public ip, it uses that rule and does not use the enc domain rule where the nat source is.

 

Rgds,

0 Kudos
Highlighted

Re: NAT through VPN

my enc domain rule is

source 87.x.x.x /255 talking to a public ip (third party) host /32

 

Nat rule is bi directional nat 

outbound - 172.x.x..x/32 - public ip      nat source original - dest nat to 87.x.x.x.x/32

inbound - public ip (third party)  dest 87.x.x.x/32        dest - denat to 172.x.x.x./32

 

Natting works ok

 

 

my issue is that as our enc domain acl does not contain the real ip i have to add a acl to he gateway which is

 

source - 172.x.x.x/32 to public ip (third party) host /32

 

So when i initiate the traffic from my sourc ip, it uses the acl rule and not the rule on the enc domain

 

We have to target a public ip on their side.

 

Rgds,

 

 

 

 

0 Kudos
Highlighted

Re: NAT through VPN

Hi,

 

In this case we have to target a public ip on their side. My address is local (172) and then we nat to a spare range on our public ip range. My point is that on their asa the cryptomap acl takes care of the acl but on Checkpoint where do i put the access rule to allow my private ip to talk to there public ip. If it is not in our access list entry  on our enc domain, wont it take that rule over the enc acl and not use that ? My Checkpoint exp is limited, sorry. Does it not matter where i put the private ip to their dest acl entry ?

 

Rgds,

 

 

0 Kudos