Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Remote Access VPN with NATed IP Address

Hello Everyone,

I have a requirement to configure Remote Access VPN on a client’s firewall. Below is the setup details:

  • Gaia R80.40 ClusterXL Gateways
  • Gaia R80.40 Security Management Server
  • Firewall is behind the internet router and internet link is terminated on the internet router.
  • Checkpoint cluster and the internet router are connected through a private network. (I.e. cluster’s external interface has private IP addresses configured on it 10.10.10.x-VIP, 10.10.10.y-FW1 Physical-IP and 10.10.10.z-FW2 Physical  IP).
  • There are multiple servers hosted behind this firewall cluster which are NATed on the firewall with public IP addresses. All these servers work properly.
  • All the users who access the internet, are NATed behind the firewall (hide NAT with public IP addresses). This access works properly as well.

Now my client needs to enable remote access VPN on this firewall.

My query is:

  • Where should the Public IP be NATed on which VPN connection will be established?
  • Will it work if I statically NAT my external virtual IP address with the VPN public IP address, on the Firewall Cluster itself?
  • Or it must be NATed on the internet router only?

Thank you.

3 Replies
Highlighted
Admin
Admin

Whatever NAT IP on the router routes to the VIP, you need to configure as the IP for Link Selection in the cluster object.
That should allow VPN (either site-to-site or remote access) to work.

Highlighted
Participant

Hi Dameon,

Thank you for a quick response.

Is that the only way of achieving it? If NAT is not configurable on the router, can I do the NAT on the firewall cluster itself and achieve the same goal?

 

Thanks.

Highlighted
Admin
Admin

Connections will be initiated from the Internet to the gateway.
Since the gateway has only a private IP, something upstream has to do NAT to ensure traffic is received by the gateway.
If you can’t configure this, you might be able to reuse an existing public IP for this which is already routed through the gateway.
Can’t say for sure that will work.

Regardless, Link Selection is needed no matter what here since you’re not terminating the VPN on an interface IP.