This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Teddy_Brewski
Collaborator
‎2018-10-24 04:50 AM

VPN and three sites

Hello

Three sites (1, 2, 3) all running R77.30.

Site2 acts a VPN hub, with both Site1 and Site3 having tunnels (to center only) established to Site2.

Encryption domains:

Site1: 1.1.1.1
Site2: 2.2.2.2
Site3: 3.3.3.3

We're trying to access Site3 from Site1 with the NAT rule on Site2:

Original Source: 1.1.1.1
Original Destination: 2.2.2.2
Translated Source: 2.2.2.2 (Hide)
Translation Destination: 3.3.3.3 (Hide)

Is this the right way to do it?

The NAT rule works. We see traffic encrypted from 1.1.1.1 to 2.2.2.2, but from 2.2.2.2 to 3.3.3.3, according to the tracker, it's sent in a clear text (just says Accept), although the rule number is correct and it's set to encrypt anything from 2.2.2.2 to 3.3.3.3 using Site2-to-Site3 VPN community.

Thank you.

3 Replies
Maarten_Sjouw
Champion
Champion
‎2018-10-24 08:23 AM

Why would you do Natting?

First of all, what type of VPN community did you use, when you use a single Star topology just set the tunnel routing to route through center to other satellites.

Problem you run into is that the Gateway is handling the traffic as it sources from 1.1.1.1 to 3.3.3.3 as NATting takes place after the tunneling is handled, the traffic will only be tunneled when you enable the route through center.

Regards, Maarten
Teddy_Brewski
Collaborator
‎2018-10-24 09:01 AM
In response to Maarten_Sjouw

Many thanks Maarten Sjouw‌.

I was confused about NATting order. So "route through center to other satellites" should be set on Site2 for both Site1 and Site2 communities, right?

And when it comes to the fw rule on Site2, what VPN Match Condition should be used? Any connections, or Only connections encrypted in specific VPN Communities with Site1 and Site2 communities selected?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-10-24 11:14 AM
In response to Teddy_Brewski

You only create 1 star community and add site2 as the center and site1 and 3 as spokes, however, if you want all sites to be able to talk to each other directly you create a Mesh community and add all 3 sites to it.

I really don't use the VPN column in the rulebase. Are there specific reasons that site 1 cannot talk to site3 directly without natting? If not, don't. 

The whole VPN setup with Check Point is really simple, any site added to a community will allow traffic between those sites, based on the rulebases. When you do need to NAT between site 1 and site 3 better do it on the site 1 FW directly and don't send traffic through 2 tunnels when you can send it through 1.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events