Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luigi_Vezzoso1
Collaborator

Definition of remote Gateway behind NAT

Hi,

do you know how centrally managed the CP1430 behind a NAT router?  I have nat-ed all the required ports from the Router Public IP to the Firewall. We have some isue on the VPN establishing (invalid ID Identifier).

How I should configure the gateway on the SMS?

172.16.0.1/24 -> CheckpointGateway -> 192.168.1.1/24 -> Router ->PublicIP ---> CheckPointGateway ---> SMS

I hope is clear.... I can establish a SIC and push policy correcly. I also receve the log on the SMS

Luigi

7 Replies
PhoneBoy
Admin
Admin

The gateway object IP on the SMS would be the public IP.

You said you configured NAT for the required ports--which ones specifically?

Also, when you try to either push policy, fetch policy, etc, what specific behavior do you see?

Error messages? Screen shots? Other information?

0 Kudos
Pedro_Espindola
Advisor

If you have SIC and policy installs, you probably got it right.

VPN might require some further configuration to work.

NAT might be causing divergence between the IP address the CP1400 knows and what the peer knows. Check sk101469

sk36425 explains a similar issue, but caused by ISP redundancy.

Luigi_Vezzoso1
Collaborator

My environment is like the SK 101469 but the 1430 is Centrally Managed...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I assume you want a VPN to 3rd party VPN as explained here: sk108600: VPN Site-to-Site with 3rd party - maybe you should set the ID Type not to IP address but something else...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Luigi_Vezzoso1
Collaborator

Nope, the both side are checkpoint gateways centrally managed

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Please read sk108600 - maybe you should set the ID Type not to IP address but something else as i think it does send a wrong IP address... But you can analyze that using VPN Debug!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Hugo_vd_Kooij
Advisor

I have a similar setup but it fails on the SIC allready. In the SIC I see the LAN side IP adres in reverse notation and the match can't be made.

The hostname equals the object name in the policy for the Central firewall.

(SecurityPeer sent wrong DN: 1.255.168.192** Reset SIC from peer, and establish trust again. **)

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events