This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JonWilliams
Explorer
‎2019-06-12 03:26 AM

Nat through site to site vpn

Hi,

 

I am trying to setup a nat through a site to site vpn.

 

we have a weird setup where our internal source is a public ip /32 talking to a dest public ip /32. When i do a no nat rule it works ok. Issue being that our internal ip is a public ip address in italy so they cannot route to it.

i then nat our internal to a spare public ip off our cp range and the tunnel breaks.

 

no nat rule is

source ip  -  dest ip  - source nat to public spare ip

dest ip - source ip (Public)  - denat dest to real ip

My encruption domain is source (real and public) des(dest public)

 

Any help, greatly received,, thanks

 

 

0 Kudos
8 Replies
JonWilliams
Explorer
‎2019-06-12 07:30 AM

One other quick question. When setting up the encryption domain and using NAT, does the real ip and NAT ip have to to be in the source on the enc domain if traffic is initiating from our side ?

 

Rgds,

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-15 05:38 PM

You've just described why you shouldn't use public IPs in your internal network unless you own them. 😁
To see what the actual issue is, you probably need to do some debugging.
Start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The local encryption domain should contain anything that might initiate a connection, which I believe includes NAT addresses.
The remote definition for your encryption domain should only include IPs it will see.
0 Kudos
Nüüül
Advisor
Advisor
‎2019-06-16 09:28 AM

Hi

 

on both ends the devices only need the (NAT) Adresses, that have to be talked about in IPSEC VPN. The real IPs might be needed on the gateways for Access Lists.

So, when you change the NAT IP, the traffic is not matching the encryption domain anymore and is either routed somewhere else or lost/discarded.

 

as Phoneboy said. I´d avoid using public IPs, as long they are not reserved for this and i or the customer owns them. But normally that should work..

You will need some further troubleshooting/debugging, i guess. use this to get started: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and than have a look at the logs and .elg files

 

 

 

0 Kudos
JonWilliams
Explorer
‎2019-06-17 12:08 AM
In response to Nüüül

Hi,

 

In this case we have to target a public ip on their side. My address is local (172) and then we nat to a spare range on our public ip range. My point is that on their asa the cryptomap acl takes care of the acl but on Checkpoint where do i put the access rule to allow my private ip to talk to there public ip. If it is not in our access list entry  on our enc domain, wont it take that rule over the enc acl and not use that ? My Checkpoint exp is limited, sorry. Does it not matter where i put the private ip to their dest acl entry ?  When i add a the real ip on the acl to allow my source to talk to their public ip, it uses that rule and does not use the enc domain rule where the nat source is.

 

Rgds,

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-17 11:06 AM
In response to JonWilliams

The encryption domain definition for the remote site would have to include any IP you are initiating a connection to.
In this case, it would need to include the public address(es).
This is defined on the gateway object for the remote site.
0 Kudos
JonWilliams
Explorer
‎2019-06-18 12:16 AM
In response to PhoneBoy

Thanks, im guessing the enc domain would also have to include our internal source ip as well ?

0 Kudos
JonWilliams
Explorer
‎2019-06-19 08:32 AM
In response to JonWilliams

hi PhoneBoy,

 

Can you confirm the answer to my last question please.

 

Rgds,

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-19 09:27 AM
In response to JonWilliams

Yes it would.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events