This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_B
Participant
‎2018-11-13 06:22 AM

NAT thru VPN IPsec

Hi all,

I come back with my NAT story...

I have a problem.

Please watch the diagram attached.

My site (green) is connected to my customer (violet) thru a VPN IPsec.

My Encryption Domain is my public range (1.1.1.0/28) and the remote Encryption Domain is 9.9.9.0/24.

My Peer is 1.1.1.1 and the remote peer is 20.20.20.20.

VPN are mounted between a CheckPoint and an ASA Cisco 5555.

The CheckPoint is carrying the virtual IP (1.1.1.4) for the NAT of SRV001 with an ARP Proxy.

My customer thru the VPN has to communicate with SRV001 via the NATed IP 1.1.1.4.

Then the check has to NAT it to 192.168.1.100.

On the other sense, SRV001 has to communicate with SRV_CUSTOMERS (9.9.9.8, 9.9.9.9)

When SRV001 initiate the communication, the CheckPoint has to NAT is IP from 192.168.1.100 to 1.1.1.4 and then to send it thru the VPN.

On the other case SRV001 no need to be NATed for corporate communication.

Right now, my VPN Tunnel is UP.

When I am pinging the 9.9.9.8 or 9.9.9.9 with the CheckPoint it's working going thru the VPN Tunnel.

When I am pinging the 9.9.9.8 or 9.9.9.9 from SRV001, I saw with TCPDUMP that the firwall on the customer interface make the NAT and replace the 192.168.1.100 with the 1.1.1.4 but the trafic is not going thru the VPN.

How to force to send the NATed packet thru the VPN?

Support NAT-Traversal is enabled.

I saw the option in the VPN Communities the option "Disable NAT inside the VPN communitie", what is it doing?

2 Replies
Danny
Champion Champion
Champion
‎2018-11-13 06:36 AM

Thomas wrote "I saw the option in the VPN Communities the option "Disable NAT inside the VPN communitie", what is it doing?"

Star Community Properties > Advanced VPN Properties

Disable NAT inside the VPN community

Even if NAT is configured it is possible to disable NAT inside the VPN community. If NAT is disabled, when a host behind a community member opens a connection with another host behind a community member, the original IP addresses are used. Other connections use the translated address.

Note: This option for disabling NAT applies to hide NAT only, not static NAT.

Enrique
Explorer
‎2019-10-21 04:35 AM

I'm not sure about this, but I would try to modify your local encryption domain to match your local network (192.168.1.0/24). Or at least add the original SRV001 IP address (192.168.1.100) to the encryption domain.

BR,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events