Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
luk89as
Participant

VPN S2S CP 700 Series WAN Behind NAT

Hello,

I have two Chececkpoint 750 and 730 gates.

Checkpoint 750 has an assigned public IP address on the WAN port.

Checkpint 730 is assigned a local IP address on the WAN port.

The address on the Checkpoint 730's WAN port is NAT 1: 1 from a public IP address.

This configuration results from the change of the link provider.

In the old configuration where both Checkpoints had public addresses on WAN ports, the S2S VPN connection worked without any problems.

After changing link provider and NAT public address to local WAN 1: 1 address, Checkpoint 730 presents itself to local WAN address. For this reason, the S2S VPN does not work.

In the S2S Checkpoint 750 VPN configuration, I configured the remote site behind NAT and provided the local address it was behind.

Still, it doesn't work.

Am I making a configuration error or is the supplier blocking something? Normal Gate <--> client connection works fine.

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

Can we move this post to Spark/SMB, @_Val_  ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
luk89as
Participant

OK. Please move this post to Spark/SMB

0 Kudos
_Val_
Admin
Admin

@G_W_Albrecht done. Also, you now are able to move the posts yourself 🙂 Please use this with caution.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I promise that i will 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
luk89as
Participant

Hello,

Is it possible to configure what ip address Checkpoint 730 should present itself when connecting VPN S2S? It's about the WAN address.

Currently, the WAN port of Checkpoint 730 has a local 1: 1 nat address from a public IP.

All ports and services are not blocked by the provider. The problem is only the local IP address on the WAN nat 1: 1 port from the public address.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Can be configured in Advanced Settings:

AdvancedVPN.png

If that is not what you try to achieve, look at the other VPN S2S settings

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
luk89as
Participant

I started S2S VPN connection.

In the S2S VPN settings I checked the option: "Disable NAT for this site"

I applied the setting to both Checkpoint devices.

0 Kudos
Tom_Hinoue
Advisor
Advisor

Does the new ISP link use CG-NAT where public IP is shared with other subscribers?
If so, using aggressive mode from CP730 to CP750 might be a choice. (CP730 as initiator, CP750 as responder)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events