Nat through site to site vpn

JonWilliams · ‎2019-06-12

Hi,

I am trying to setup a nat through a site to site vpn.

we have a weird setup where our internal source is a public ip /32 talking to a dest public ip /32. When i do a no nat rule it works ok. Issue being that our internal ip is a public ip address in italy so they cannot route to it.

i then nat our internal to a spare public ip off our cp range and the tunnel breaks.

no nat rule is

source ip - dest ip - source nat to public spare ip

dest ip - source ip (Public) - denat dest to real ip

My encruption domain is source (real and public) des(dest public)

Any help, greatly received,, thanks

JonWilliams · ‎2019-06-12

One other quick question. When setting up the encryption domain and using NAT, does the real ip and NAT ip have to to be in the source on the enc domain if traffic is initiating from our side ?

Rgds,

PhoneBoy · ‎2019-06-15

You've just described why you shouldn't use public IPs in your internal network unless you own them. 😁
To see what the actual issue is, you probably need to do some debugging.
Start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The local encryption domain should contain anything that might initiate a connection, which I believe includes NAT addresses.
The remote definition for your encryption domain should only include IPs it will see.

Nüüül · ‎2019-06-16

Hi

on both ends the devices only need the (NAT) Adresses, that have to be talked about in IPSEC VPN. The real IPs might be needed on the gateways for Access Lists.

So, when you change the NAT IP, the traffic is not matching the encryption domain anymore and is either routed somewhere else or lost/discarded.

as Phoneboy said. I´d avoid using public IPs, as long they are not reserved for this and i or the customer owns them. But normally that should work..

You will need some further troubleshooting/debugging, i guess. use this to get started: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and than have a look at the logs and .elg files

JonWilliams · ‎2019-06-17

Hi,

In this case we have to target a public ip on their side. My address is local (172) and then we nat to a spare range on our public ip range. My point is that on their asa the cryptomap acl takes care of the acl but on Checkpoint where do i put the access rule to allow my private ip to talk to there public ip. If it is not in our access list entry on our enc domain, wont it take that rule over the enc acl and not use that ? My Checkpoint exp is limited, sorry. Does it not matter where i put the private ip to their dest acl entry ? When i add a the real ip on the acl to allow my source to talk to their public ip, it uses that rule and does not use the enc domain rule where the nat source is.

Rgds,

PhoneBoy · ‎2019-06-17

The encryption domain definition for the remote site would have to include any IP you are initiating a connection to.
In this case, it would need to include the public address(es).
This is defined on the gateway object for the remote site.

JonWilliams · ‎2019-06-18

Thanks, im guessing the enc domain would also have to include our internal source ip as well ?

JonWilliams · ‎2019-06-19

hi PhoneBoy,

Can you confirm the answer to my last question please.

Rgds,

PhoneBoy · ‎2019-06-19

Yes it would.

Are you a member of CheckMates?

Nat through site to site vpn