This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-06-28 09:25 AM
Jump to solution

NAT in S2S VPN deployment.

Hello,

A query, I have a S2S IPsec VPN against a third party, in which, on our side we have the need that "the remote peer" does not know us with the real IPs of our servers.

These are our Real IPs:
10.7.12.124
10.7.106.114
192.168.216.50

Destination IP of the remote peer:
69.20.50.41

These 3 IPs, must "present" themselves to the remote peer, with the NAT IP -> 172.26.15.254

Checkpoint requires that in this case, 3 Hide NAT type rules are created for each of the real IPs, right?

It is not possible to work it in only one NAT rule?

Cheers. 🙂

0 Kudos
1 Solution

Accepted Solutions
CaseyB
Advisor
‎2023-06-28 12:35 PM
In response to Matlu
Jump to solution

Yes, it is possible to setup groups in the NAT rule base for your hide NAT. I use this feature quite often.

You can absolutely put those 3 servers into a group and specify hide behind 172.26.15.254 when talking to the other remote network.

View solution in original post

(1)
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-06-28 09:39 AM
Jump to solution

Hey bro,

Make sure NAT is enabled inside vpn community and if its static nat rules, then they may need to be separate.

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-28 09:47 AM
In response to the_rock
Jump to solution

Buddy

The TAC told me that in order for Checkpoint, to take my manual NAT rules into account, I have to disable the checkbox of the option that you see in the following image. 😄
VPN1.png

For now, my manual NAT works fine, but it is configured as a 1 - 1 NAT.
And what I want is that on my side, there are 3 servers with different IPs, that can reach the other side of the VPN, with a single NAT IP.

Is it possible to make a Hide NAT, using as origin a "group object" and putting there, all the IPs that I want to leave my side ????

Greetings.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-28 09:59 AM
In response to Matlu
Jump to solution

Sorry, my bad, I believe TAC is correct. Also, as per below, makes sense

VPN Communities - Advanced (checkpoint.com)

Btw, if its hide NAT rule, then group should work.

Andy

Best,
Andy
0 Kudos
CaseyB
Advisor
‎2023-06-28 12:35 PM
In response to Matlu
Jump to solution

Yes, it is possible to setup groups in the NAT rule base for your hide NAT. I use this feature quite often.

You can absolutely put those 3 servers into a group and specify hide behind 172.26.15.254 when talking to the other remote network.

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-06-28 12:37 PM
In response to CaseyB
Jump to solution

100% that works, agree.

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-28 01:01 PM
In response to the_rock
Jump to solution

Thanks for the support, guys.

Cheers. 🙂

the_rock
MVP Platinum
MVP Platinum
‎2023-06-28 01:09 PM
In response to Matlu
Jump to solution

FYBFOC = for you bro, free of charge 🙂

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events