- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hello to everyone,
I'm currently facing a scenario where we have two Check Point 4200s working in standalone HA and taking care of my internet connection and a simple VPN. Next to it, there is a Cisco 2811 router whose only duty is to keep an IPsec VPN established with another Cisco that we don't manage. I've been asked to migrate that IPsec VPN from the Cisco to the Check Point, and I don't know how to do that. Can anybody help me?
The IPsec VPN conditions are:
- The IPsec VPN must be established between the Check Point standalone in HA with a cluster IP 10.15.128.130/30 and a 3rd party appliance (Cisco) that we don't manage with an IP 10.15.128.2/30. So the Cluster IP address is going to be in a diferent subnet than it's members.
- Trafic within the IPsec VPN must be routed by NATing all IPs with a loopback with an IP 10.2.92.2 and another loopback with an IP 10.1.92.2.
- I've uploaded a modified config of the Cisco 2811 to protect privacy. It is attached to this post.
Any help would be greatly apreciated.
Regards,
I would start by making sure you have all the necessary information to create a VPN.
Here's a nice worksheet for that: what information do we need from the remote site customer when creating site to site VPN?
Then you can follow the steps in the documentation for creating a VPN with a third-party site: Site to Site VPN R80.10 Administration Guide
See also: VPN Site-to-Site with 3rd party
Thanks Dameon Welch Abernathy for the quick response. Yes, we allready have all the necessary information to create the VPN. Regarding the documentation for creating a VPN, we're running R77.30, and yes I'd had access to that documentation as well. My main question is how do I create the policy after configuring all the VPN parameters and how do I get the traffic to be NATed trough the loopback?
Something like the following for the VPN rules:
For NAT, something like:
Thanks once again for the info! And that loopback is configured as what kind of object in the SmartDashboard? Do I need a loopback interface in the GAiA firewall as well?
You create a regular host object for it.
You will need to right-click on it in the NAT rulebase to change the NAT mode to Hide (versus Static).
If you are using VPN tunnel interfaces, you configure the IP on the tunnel interface.
All the info are great! Just another question: If I'm not using VTI, I just set up a regular loopback with the 10.2.92.2/30 address, right? And that with the NAT mode set to hide should work, right?
You don't need to set up a loopback in this case.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY