Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
luk89as
Explorer

CP1570 VPN S2S to Palo Alto - NAT translation

Hello,

I have an S2S CP1570 and a Palo Alto connected via VPN.

The server behind Palo Alto is assigned the IP 172.28.148.1

The server (IP 172.28.148.1) behind Palo Alto will only respond to a PING query as traffic from the CP1570 side will come from the 172.29.148.0/24 network passing through the VPN tunnel.

How do I do a 1:1 NAT translation so that when I send a PING from the 192.168.88.0/24 network it will be sent through the VPN tunnel as an IP from the 172.29.148.0/24 network.

If this is not possible I will have to assign a static address from the 172.29.148.0/24 network to the computer's network card

I am attaching an image with a block diagram.

CP1570 Firmware  R81.10.08 (996001683)

 

0 Kudos
1 Reply
JoSec
Collaborator

I am not familiar with the model CP1570, but normally if using a domain/policy based VPN, you need to add the host/networks/ranges, etc.,. that you would want to participate in the VPN to the VPN domain object on the Checkpoint side and have the corresponding rule. No need to NAT unless there is a requirement to do so such as communicating to a public IP over a VPN or a conflict for overlapping IP Network. Also on the Palo side you will have to allow 192.168.88.0/24 or a single IP/32 if that is all you need from that subnet, inbound and make any of other Palo config changes to allow the traffic. Now if you need to NAT for some other reason, you can NAT but will still have the network of individual IP from192.168.88.0/24 in the rule and the VPN domain object on the Checkpoint side.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events