Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SriNarasimha005
Contributor

Private to Private NAT on IPSEC VPN

Hi Experts,

 

 We're planning to build IPSEC Site to Site VPN with our clients. Our Internal subnets for VPN domain is 172.16.0.0/24. In order to hide our Internal LAN , we've been asked to NAT to another Private Subnet so this can be advertised as VPN domain. This looks like Private to Private NAT. I'm not sure about this.

 

  Could some one please advise me with NAT configuration Thanks in Advance.

10 Replies
Vladimir
Champion
Champion

Your NAT configuration should reflect the intended use:

I.e. will you be accessing peer's resources via this VPN? If so, you can use many to one (hide NAT). I would suggest to hide behind single host, but define same host's IP as another Network Object with /32 mask and use it in your Encryption domain. Some vendors are partial to the idea of establishing tunnels to hosts, instead of between subnet pairs.

Where "NAT_For_VPN_Host" IP is the same as the /32 network you'll include in your Encryption Domain.

If your peer's clients will be connecting to you, you'll have to actually create manual NAT rules for each of your internal resources, something like this:

With NATed_Server IP being in the range of the subnet you have included in your encryption domain and the Local_Server being actual IP of your resource.

Place these NAT rules on top of your NAT policy to avoid interference with other rules that may-be using same sources.

Cheers,

Vladimir

Gaurav_Pandya
Advisor

Adding to Vladimir, If the VPN communication is between 2 subnets and flow will be bidirectional then use any fake subnet and NAT with entire subnet. Like below.

172.16.0.0/24  NATed to 192.168.2.0/24 (This subnet is fake subnet, means not a part of your LAN and it should be part of encryption domain) 

Daniel_Bourne
Participant

Gaurav,

So if you create a network 192.168.2.0/24, add it to your encryption domain, you can then create a NAT rule using hide NAT?  Can you just elaborate on this a bit as I cannot see how this would work?  I need to configure a site to site VPN with a customer and we cannot use our existing private subnet as this is currently in use on the customer side.  We would preferr not to NAT behind a public IP either so this solution might be perfect.

Thanks,

Dan

0 Kudos
Gaurav_Pandya
Advisor

Hi Daniel,

You can use IP Pool NAT in which entire subnet will be NATed to different subnet. Please see below NAT rule. You can use subnet as a object or IP Ranges.Please note that here peer end has also have to do NAT and that NATed subnet need to put at destination. Again it depends peer end is giving public IP or private IPs for interesting traffic.

Daniel_Bourne
Participant

Guarav,

Excellent, thank you very much for your quick reply.  I will try this approach on a site to site VPN I am working on.

Thanks,

Dan

0 Kudos
Vladimir
Champion
Champion

Gaurav,

I do not think that you can use the subnet object for a source NAT (in column 4), only the IP Range or a single IP.

0 Kudos
Gaurav_Pandya
Advisor

Hi Vladimir,

I have used IP Ranges as source NAT but not used subnet object. when I tried to add object, subnet was also one option so I just mentioned. Good suggestion. 

Adiel_Ashrov
Employee Alumnus
Employee Alumnus

Hello Srinivasan,

I’m addressing the relevant people in order to provide an answer for your question.

Regards,

Adiel Ashrov

Software Engineer

Management Application

@Check Point

Technical_Team_
Explorer

Hi guys!

Any answer on this?

We're planning an IP range change (ex: 10.10.10.0/24 to 172.16.0.0/24) we have different services in that IP range and to make sure we don't have any issues, I'd lke to do a 1-to-1 NAT. Keeping the old IPs reachable, if we forget to migrate a service to the new IP range.

So service A (ex: AD DC) would answer on 10.10.10.2 and 172.16.0.2)

Am I correct in my assumptions?

Merci!

CL

0 Kudos
Gaurav_Pandya
Advisor

Hi,

When you give IP Ranges in NAT policy then it will automatically do 1to1 NATing. like 10.10.10.2 to 172.16.0.2.

My assumption is, at a time only one IP will give answer for specific service.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events