This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abhishek_Kumar1
Collaborator
‎2021-02-04 06:29 AM
Jump to solution

NAT isue with site to site VPN configuration

Hi Everyone with encryption domain

I am facing issue with Site to Site VPN encryption domain

I have create site site to tunnel between checkpoint and Azure VPN gateway. 

My firewall is deployed in Azure and my Vnet IP Pool is 10.10.0.0/16, we added entire subnet in encrytion domain. and setelite encrytion domain is 10.250.6.0/24

our tunnel is up and we are able to access peer and subnet form my etire Vnet subnet.

But we have issue when any user coming from AO VPN subnet which are using diffrent subnet (10.130.0.0/16) and we can not add that subnet in encrytion domain becuase if we add in this LAnding Zone traffic will not communicate with another vnet.

we did hide NAT with one firewall external interface IP Pool, so AO VPN traffic will hide with that perticular IP.

Below the NAT statement

source :- 10.139.0.0/16    

DST :- 10.250.6.0/24

Translate Src :- 10.10.10.10

 

so if src is 10.139.0.0/16 going to 10.250.6.0/24 should be translated to 10.10.10.10

10.10.10.10 is part of encryption domain and should work, 

but after applying policy, i can see only Syn packet on firewall, my communication is not working.

I am suspecting issue with NAT.

Thank you in advance for your suport 

 

Regards

Abhishek

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Abhishek_Kumar1
Collaborator
‎2021-02-05 12:55 AM
In response to PhoneBoy
Jump to solution

I use the external interface IP range to NAT the AO vpn VPN subnet.

but it was not working, then i have added the NATed ip (10.10.10.20) in encryption domain even i already added the /16 subnet earlier and add the AO vpn subnet in encrytion as per TAC suggested, then it started working. and TAC said it will only encrypt the traffic when it will go to this related peer subnet. but i am still confuse, if i add AO vpn subnet in current VPN encryption domain, it will not impact other vpn connectivity 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-02-04 06:27 PM
Jump to solution

I suspect you need to NAT to an IP associated with the gateway (not some random IP).
Or you need a UDR that points 10.10.10.10 to the gateway.

0 Kudos
Abhishek_Kumar1
Collaborator
‎2021-02-05 12:55 AM
In response to PhoneBoy
Jump to solution

I use the external interface IP range to NAT the AO vpn VPN subnet.

but it was not working, then i have added the NATed ip (10.10.10.20) in encryption domain even i already added the /16 subnet earlier and add the AO vpn subnet in encrytion as per TAC suggested, then it started working. and TAC said it will only encrypt the traffic when it will go to this related peer subnet. but i am still confuse, if i add AO vpn subnet in current VPN encryption domain, it will not impact other vpn connectivity 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events