This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cesar_Caballero
Contributor
‎2018-07-19 07:50 AM

Replacing a Cisco 2811 router duty with a Check Point standalone HA

Hello to everyone,

I'm currently facing a scenario where we have two Check Point 4200s working in standalone HA and taking care of my internet connection and a simple VPN. Next to it, there is a Cisco 2811 router whose only duty is to keep an IPsec VPN established with another Cisco that we don't manage. I've been asked to migrate that IPsec VPN from the Cisco to the Check Point, and I don't know how to do that. Can anybody help me?

Network Topology

The IPsec VPN conditions are:

- The IPsec VPN must be established between the Check Point standalone in HA with a cluster IP 10.15.128.130/30 and a 3rd party appliance (Cisco) that we don't manage with an IP 10.15.128.2/30. So the Cluster IP address is going to be in a diferent subnet than it's members.

- Trafic within the IPsec VPN must be routed by NATing all IPs with a loopback with an IP 10.2.92.2 and another loopback with an IP 10.1.92.2.

- I've uploaded a modified config of the Cisco 2811 to protect privacy. It is attached to this post.

Any help would be greatly apreciated.

Regards,

run conf Cisco 2811.txt.zip
7 Replies
PhoneBoy
Admin
Admin
‎2018-07-19 08:24 AM

I would start by making sure you have all the necessary information to create a VPN.

Here's a nice worksheet for that: what information do we need from the remote site customer when creating site to site VPN? 

Then you can follow the steps in the documentation for creating a VPN with a third-party site: Site to Site VPN R80.10 Administration Guide 

See also: VPN Site-to-Site with 3rd party 

0 Kudos
Cesar_Caballero
Contributor
‎2018-07-19 08:45 AM
In response to PhoneBoy

Thanks Dameon Welch Abernathy‌ for the quick response. Yes, we allready have all the necessary information to create the VPN. Regarding the documentation for creating a VPN, we're running R77.30, and yes I'd had access to that documentation as well. My main question is how do I create the policy after configuring all the VPN parameters and how do I get the traffic to be NATed trough the loopback?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-19 09:21 AM
In response to Cesar_Caballero

Something like the following for the VPN rules:

For NAT, something like:

0 Kudos
Cesar_Caballero
Contributor
‎2018-07-19 10:48 AM
In response to PhoneBoy

Thanks once again for the info! And that loopback is configured as what kind of object in the SmartDashboard? Do I need a loopback interface in the GAiA firewall as well?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-19 11:07 AM
In response to Cesar_Caballero

You create a regular host object for it.

You will need to right-click on it in the NAT rulebase to change the NAT mode to Hide (versus Static).

If you are using VPN tunnel interfaces, you configure the IP on the tunnel interface. 

0 Kudos
Cesar_Caballero
Contributor
‎2018-07-19 11:43 AM
In response to PhoneBoy

All the info are great! Just another question: If I'm not using VTI, I just set up a regular loopback with the 10.2.92.2/30 address, right? And that with the NAT mode set to hide should work, right?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-19 12:18 PM
In response to Cesar_Caballero

You don't need to set up a loopback in this case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫