This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
luk89as
Participant
‎2023-12-06 08:45 AM

CP1570 VPN S2S to Palo Alto - NAT translation

Hello,

I have an S2S CP1570 and a Palo Alto connected via VPN.

The server behind Palo Alto is assigned the IP 172.28.148.1

The server (IP 172.28.148.1) behind Palo Alto will only respond to a PING query as traffic from the CP1570 side will come from the 172.29.148.0/24 network passing through the VPN tunnel.

How do I do a 1:1 NAT translation so that when I send a PING from the 192.168.88.0/24 network it will be sent through the VPN tunnel as an IP from the 172.29.148.0/24 network.

If this is not possible I will have to assign a static address from the 172.29.148.0/24 network to the computer's network card

I am attaching an image with a block diagram.

CP1570 Firmware  R81.10.08 (996001683)

 

Preview file
110 KB
0 Kudos
1 Reply
JoSec
Collaborator
‎2023-12-06 11:49 AM

I am not familiar with the model CP1570, but normally if using a domain/policy based VPN, you need to add the host/networks/ranges, etc.,. that you would want to participate in the VPN to the VPN domain object on the Checkpoint side and have the corresponding rule. No need to NAT unless there is a requirement to do so such as communicating to a public IP over a VPN or a conflict for overlapping IP Network. Also on the Palo side you will have to allow 192.168.88.0/24 or a single IP/32 if that is all you need from that subnet, inbound and make any of other Palo config changes to allow the traffic. Now if you need to NAT for some other reason, you can NAT but will still have the network of individual IP from192.168.88.0/24 in the rule and the VPN domain object on the Checkpoint side.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events