Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Site-Site Tunnel with NAT to a second Tunnel

Jump to solution

Hello all,

I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.
I'm used to work with palo and asa devices, so I might be missing something here.

This is the basic layout:

Untitled.png

 

Due to whatever policies, 10.13.1.x can't be connected directly to 1.1.1.1, so the solution was to create the tunnel between devices 1 and 2.

Device 1 is a Fortinet that I have no control over.
The tunnel between device 2 and 10.13.1.x already exists and is ok.

I have assigned 172.31.221.201 to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from 10.13.1.11 to 172.31.201.82

Phase 1 is ok,  but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?

Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?

Thank you for any help you provide.

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Ivory

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.

View solution in original post

0 Kudos
2 Replies
Highlighted
Admin
Admin
What is the encryption domain defined as on your Gateway?
It should include ALL the subnets that need to communicate with the remote peer.
0 Kudos
Highlighted
Ivory

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.

View solution in original post

0 Kudos