Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Abhishek_Kumar1
Collaborator

NAT isue with site to site VPN configuration

Jump to solution

Hi Everyone with encryption domain

I am facing issue with Site to Site VPN encryption domain

I have create site site to tunnel between checkpoint and Azure VPN gateway. 

My firewall is deployed in Azure and my Vnet IP Pool is 10.10.0.0/16, we added entire subnet in encrytion domain. and setelite encrytion domain is 10.250.6.0/24

our tunnel is up and we are able to access peer and subnet form my etire Vnet subnet.

But we have issue when any user coming from AO VPN subnet which are using diffrent subnet (10.130.0.0/16) and we can not add that subnet in encrytion domain becuase if we add in this LAnding Zone traffic will not communicate with another vnet.

we did hide NAT with one firewall external interface IP Pool, so AO VPN traffic will hide with that perticular IP.

Below the NAT statement

source :- 10.139.0.0/16    

DST :- 10.250.6.0/24

Translate Src :- 10.10.10.10

 

so if src is 10.139.0.0/16 going to 10.250.6.0/24 should be translated to 10.10.10.10

10.10.10.10 is part of encryption domain and should work, 

but after applying policy, i can see only Syn packet on firewall, my communication is not working.

I am suspecting issue with NAT.

Thank you in advance for your suport 

 

Regards

Abhishek

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Abhishek_Kumar1
Collaborator

I use the external interface IP range to NAT the AO vpn VPN subnet.

but it was not working, then i have added the NATed ip (10.10.10.20) in encryption domain even i already added the /16 subnet earlier and add the AO vpn subnet in encrytion as per TAC suggested, then it started working. and TAC said it will only encrypt the traffic when it will go to this related peer subnet. but i am still confuse, if i add AO vpn subnet in current VPN encryption domain, it will not impact other vpn connectivity 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I suspect you need to NAT to an IP associated with the gateway (not some random IP).
Or you need a UDR that points 10.10.10.10 to the gateway.

0 Kudos
Abhishek_Kumar1
Collaborator

I use the external interface IP range to NAT the AO vpn VPN subnet.

but it was not working, then i have added the NATed ip (10.10.10.20) in encryption domain even i already added the /16 subnet earlier and add the AO vpn subnet in encrytion as per TAC suggested, then it started working. and TAC said it will only encrypt the traffic when it will go to this related peer subnet. but i am still confuse, if i add AO vpn subnet in current VPN encryption domain, it will not impact other vpn connectivity 

View solution in original post

0 Kudos