This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luigi_Vezzoso1
Collaborator
‎2019-01-09 09:04 AM

Definition of remote Gateway behind NAT

Hi,

do you know how centrally managed the CP1430 behind a NAT router?  I have nat-ed all the required ports from the Router Public IP to the Firewall. We have some isue on the VPN establishing (invalid ID Identifier).

How I should configure the gateway on the SMS?

172.16.0.1/24 -> CheckpointGateway -> 192.168.1.1/24 -> Router ->PublicIP ---> CheckPointGateway ---> SMS

I hope is clear.... I can establish a SIC and push policy correcly. I also receve the log on the SMS

Luigi

7 Replies
PhoneBoy
Admin
Admin
‎2019-01-09 01:44 PM

The gateway object IP on the SMS would be the public IP.

You said you configured NAT for the required ports--which ones specifically?

Also, when you try to either push policy, fetch policy, etc, what specific behavior do you see?

Error messages? Screen shots? Other information?

0 Kudos
Pedro_Espindola
Advisor
‎2019-01-09 07:23 PM

If you have SIC and policy installs, you probably got it right.

VPN might require some further configuration to work.

NAT might be causing divergence between the IP address the CP1400 knows and what the peer knows. Check sk101469

sk36425 explains a similar issue, but caused by ISP redundancy.

Luigi_Vezzoso1
Collaborator
‎2019-01-10 01:20 AM
In response to Pedro_Espindola

My environment is like the SK 101469 but the 1430 is Centrally Managed...

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-01-10 03:23 AM
In response to Luigi_Vezzoso1

I assume you want a VPN to 3rd party VPN as explained here: sk108600: VPN Site-to-Site with 3rd party - maybe you should set the ID Type not to IP address but something else...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator
‎2019-01-10 03:25 AM
In response to G_W_Albrecht

Nope, the both side are checkpoint gateways centrally managed

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-01-10 03:30 AM
In response to Luigi_Vezzoso1

Please read sk108600 - maybe you should set the ID Type not to IP address but something else as i think it does send a wrong IP address... But you can analyze that using VPN Debug!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2022-11-23 04:17 AM

I have a similar setup but it fails on the SIC allready. In the SIC I see the LAN side IP adres in reverse notation and the match can't be made.

The hostname equals the object name in the policy for the Central firewall.

(SecurityPeer sent wrong DN: 1.255.168.192** Reset SIC from peer, and establish trust again. **)

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events