Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JonWilliams
Explorer

NAT through VPN

Hi, i am trying to setup a vpn to a asa and we are natting on our side.

 

On their enc domain (crypto acl) they only have our nat address as their destination.

Am i right in thinking that on our side i have to have the real and nat adress as the source on our side (Enc domain) ? If i only have the nat address, i have to add a normal acl to allow the real address through to talk to the destination and it will always use that rather than the enc domain rule ?

 

 

Sorry, my Checkpoint exp is limited. Any help gratefully received.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

It would help if you could describe the actual encryption domains with IPs.
They don't have to be the real IPs but it would help to see how the IPs relate to each other.
0 Kudos
JonWilliams
Explorer

When i add a the real ip on the acl to allow my source to talk to their public ip, it uses that rule and does not use the enc domain rule where the nat source is.

 

Rgds,

0 Kudos
JonWilliams
Explorer

my enc domain rule is

source 87.x.x.x /255 talking to a public ip (third party) host /32

 

Nat rule is bi directional nat 

outbound - 172.x.x..x/32 - public ip      nat source original - dest nat to 87.x.x.x.x/32

inbound - public ip (third party)  dest 87.x.x.x/32        dest - denat to 172.x.x.x./32

 

Natting works ok

 

 

my issue is that as our enc domain acl does not contain the real ip i have to add a acl to he gateway which is

 

source - 172.x.x.x/32 to public ip (third party) host /32

 

So when i initiate the traffic from my sourc ip, it uses the acl rule and not the rule on the enc domain

 

We have to target a public ip on their side.

 

Rgds,

 

 

 

 

0 Kudos
JonWilliams
Explorer

Hi,

 

In this case we have to target a public ip on their side. My address is local (172) and then we nat to a spare range on our public ip range. My point is that on their asa the cryptomap acl takes care of the acl but on Checkpoint where do i put the access rule to allow my private ip to talk to there public ip. If it is not in our access list entry  on our enc domain, wont it take that rule over the enc acl and not use that ? My Checkpoint exp is limited, sorry. Does it not matter where i put the private ip to their dest acl entry ?

 

Rgds,

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events