This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2018-05-07 03:20 AM

VPN connection with Destination NAT not working

Hello,

I am having trouble getting a destination NAT working for a VPN connection working.  I am sure it is a simple issue, but I have been banging my head against the wall with it for a couple of days.

I have a domain based VPN for a site to site VPN. The VPN doman is configured and working as I can bring up the VPN for some other connections that are not using destination NAT. The Interoperable Device is configure with a VPN Domain that includes the "real" and "NAT IP":

Remote                Local
192.168.2.10/32 10.0.0.0/8
10.191.34.10/32 10.0.0.0/8

The Access Policy is configure for testing to match from a host HTTP traffic with the VPN configured:

The NAT Policy is configured for a destination NAT from NAT_Server (192.168.2.10) to the H_Server (10.191.34.10)

My understanding is that this should map the NAT_Server (192.168.2.10) to the H_Server (10.191.34.10).  This does appear to work as I see with "fw monitor" the traffic arriving on the firewall on the expected eth1 and trying to leave on the expected eth3:

The problem is that the packet stops on the outbound chain "o".  In the log files I see the message about encryption failure: Different community ID, possible NAT problem (VPN Error code 01)

If someone is able to guide me in the right direction to solve this, it would be much appreciated.

Many thanks,

6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-05-07 05:22 AM

Looks like the issue from sk25867 "Different community ID, possible NAT problem (VPN Error code 02)" error on packet drop

There is also sk108600 VPN Site-to-Site with 3rd party  that may help...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor
‎2018-05-07 05:30 AM
In response to G_W_Albrecht

Hello,

I have been through many SKs, recently, but I will check them out.  I believe I have not looked at sk108600 yet.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-05-07 05:47 AM
In response to Michael_Horne

sk108600 is very helpfull for VPN with 3rd Party GWs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-06-06 03:54 AM
In response to Michael_Horne

Were you able to resolve the issue yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor
‎2018-06-06 04:33 AM
In response to G_W_Albrecht

Hi,  I checked with support and Domain based VPN does not work when the encryption domains overlap.

G_W_Albrecht
Legend Legend
Legend
‎2018-06-06 05:10 AM
In response to Michael_Horne

That is certainly true 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events