Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nastiakhon
Participant

NAT Before VPN?

Jump to solution

Hello
I had a need to put the implementation of the NAT rule first, and then the access policy.
Can I do it somehow?
Thank you!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Normally, what is negotiated with the remote end is the subnets/IPs in your encryption domain.
What you are configuring here is what you want to negotiate with the remote end instead.
Originally, when you had this working, you had LAN2 configured as the encryption domain, correct?

What you're configuring in this file is the precise subnet(s) you want to negotiate with the remote site (instead of the configured encryption domain).
That implies:

  • The first item is the remote VPN gateway IP (the thing you're establishing a VPN with).
  • The second and third item would be the first and last IP address address in the LAN2 subnet.
  • The last item is the appropriate subnet mask for LAN2.

This change must be made on the management and requires a policy installation to take effect.
It's also the kind of thing that will not be preserved on an upgrade and will have to be reapplied, possibly in multiple places depending on versions of gateway managed.

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

On new connections, NAT is always applied last.
This means your Access Policy rules must always be in terms of packets prior to the application of NAT.
Changing this is not possible.

0 Kudos
(1)
nastiakhon
Participant

Thank you very much for your reply!
Maybe you can then tell me about my problem, or maybe I need to open a new post?

The bottom line is that I have built a VPN site to site, I have two LAN networks, one I send to the VPN, and the other is mine, and now I need to make NAT for one server that is in my network. I have a rule for accessing the Internet configured for this network, and accordingly, when a packet(fron my LAN server, not in VPN ) is sent to the server which is found on the other side of the VPN, it first of all gets into the access list rules, and NAT does not happen.

nastiakhon
Participant

There are three networks, LAN1 is my internal network, VPN-LAN2 is also my internal network, the traffic from which is sent to the VPN, and the LAN3 network, this is not my network and is located on the other side of the VPN tunnel. There is a server in the LAN1 network that needs to configure access to the server that is located in LAN3, this must be done using NAT. The NAT rule is configured, but the traffic that comes from my server must first go through the NAT, and then get into the VPN channel, I have different rules for LAN1 and its server configured, so the traffic passes through them, then NAT is executed and the traffic no longer gets into VPN tunnel. This is how it turns out. Maybe there is some alternative solution? Please tell me!

0 Kudos
PhoneBoy
Admin
Admin

Anything on your end that needs to talk over the VPN has to be in your Encryption Domain and must be permitted by your local access rules.
You can apply a NAT rule so it looks like it's coming from your VPN subnet for the other end of the VPN.

0 Kudos
nastiakhon
Participant

Thank you!
But I already have a rule set up saying that:
source - Server in LAN1, destination - server in LAN3, then NAT, source - ip from LAN2 destination - server in LAN3, I also have configured access rule the Server in LAN1 to server in LAN3 and back. allow.
But the traffic still does not enter the VPN tunnel, but goes into the void.

PhoneBoy
Admin
Admin

The NAT is probably working, which you can confirm this by reviewing the logs or a packet capture.
Because the server in LAN1 is not part of the Encryption Domain, traffic sent to LAN3 is likely being sent in the clear instead of over the VPN.
Change your Encryption Domain (configured in the gateway object) to include the server in LAN1.

0 Kudos
nastiakhon
Participant

Thank you!
In my lab it worked !!!
But can I still ask for clarification, I added my server LAN1 to my VPN domain LAN2, depleting it from the group. But on the other side where LAN3 my server is not added. Will this lead to the destruction of the VPN tunnel in the future?

0 Kudos
nastiakhon
Participant

Thank you!
My VPN broke (this is a laboratory environment), as it turned out, I began to check when the tunnel was built with the old values of LAN networks, but after restarting, the VPN cannot be negotiated and the other side rejects my requests

0 Kudos
PhoneBoy
Admin
Admin

Did you add only the specific server or the entire server LAN?
If you added the entire subnet, then I can see supernetting taking place, which would cause a configuration mismatch and the VPN to fail.
My guess is scenario 1 here applies: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

nastiakhon
Participant

Hello, thanks for your answer!
I only added a specific server to the group. And now in the group for the VPN community I have LAN2 and serverLAN1. But the tunnel is still not going.

Also, I do not quite understand what I need to add in the "user.def" file
I did like this

[Expert @ CP_GW1: 0] # cat user.def.FW1
/ *
* (c) Copyright 1993-2008 Check Point Software Technologies Ltd.
* All rights reserved.
*
* This is proprietary information of Check Point Software Technologies
* Ltd., which is provided for informational purposes only and for use
* solely in conjunction with the authorized use of Check Point Software
* Technologies Ltd. products. The viewing and use of this information is
* subject, to the extent appropriate, to the terms and conditions of the
* license agreement that authorizes the use of the relevant product.
*
* $ RCSfile: user.def, v $ $ Revision: 1.2.1488.1.4.1 $ $ Date: 2004/03/03 17:01:14 $
* /


#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//
subnet_for_range_and_peer = {
<172.16.16.1, 192.168.0.1, 192.168.0.1; 255.255.255.255>
};


#endif / * __user_def__ * /
[Expert @ CP_GW1: 0] #

172.16.16.1 is the LAN3 server
192.168.0.1 is the LAN1 server

But it didn't work.
Maybe I need to add another rule?

0 Kudos
PhoneBoy
Admin
Admin

Normally, what is negotiated with the remote end is the subnets/IPs in your encryption domain.
What you are configuring here is what you want to negotiate with the remote end instead.
Originally, when you had this working, you had LAN2 configured as the encryption domain, correct?

What you're configuring in this file is the precise subnet(s) you want to negotiate with the remote site (instead of the configured encryption domain).
That implies:

  • The first item is the remote VPN gateway IP (the thing you're establishing a VPN with).
  • The second and third item would be the first and last IP address address in the LAN2 subnet.
  • The last item is the appropriate subnet mask for LAN2.

This change must be made on the management and requires a policy installation to take effect.
It's also the kind of thing that will not be preserved on an upgrade and will have to be reapplied, possibly in multiple places depending on versions of gateway managed.

View solution in original post

0 Kudos
nastiakhon
Participant

Thank you!
I made sure that my traffic from the LAN1 server to the LAN3 server goes to the VPN tunnel. Tunelt rises from two sides, but now the problem has arisen again in the fact that NAT is not happening.
Traffic is sent through tunnels to the remote side without NAT.

0 Kudos
PhoneBoy
Admin
Admin

What is your precise NAT rule?
This will require a manual rule for certain.
Also does your VPN community have NAT enabled?
See: https://community.checkpoint.com/t5/Security-Gateways/NAT-is-not-working-via-VPN/m-p/10148/highlight...

0 Kudos
nastiakhon
Participant

You are right, I had NAT turned off in the community. After turning it on, my circuit started working as it should.
Now I will try this scheme in production.
thanks for your help!

0 Kudos