This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nooni
Collaborator
Collaborator
a week ago

Nat inside VPN tunnel to Fortigate

Hi

 

I am trying to do NAT translation inside the VPN tunnel and i cant wrap my head around this configuration.

The topology looks like this:

 

vpn.png

 

In the Encryption Domain on the Check Point i have 192.168.18.10 and 192.168.20.0/28

So server 192.168.18.10 should communicate with 10.10.13.1, which in turn is translated on the Fortigate side to 10.10.12.10.

First issue, Check Point will not route packet over VPN tunnel when i have 192.168.20.0/28 in the EncDom.

If i put 192.168.20.0/28, which i did for a test the phase2 fails, because of course this net is not on the other side really.

NAT is enabled in the community.

I need some suggestions on how to think here

0 Kudos
9 Replies
CaseyB
Advisor
a week ago

I believe this is the NAT rule you are looking for if I am following you correctly.

VPN_NAT.png

nooni
Collaborator
Collaborator
a week ago
In response to CaseyB

I would like the 192.168.18.10 server communicate with IP address 192.168.20.1 and not directly with 10.10.13.1 therefore the NAT table looks a bit weird. 

So SRC 192.168.18.10 sends traffic to IP 192.168.20.1 and then this traffic gets translated to 10.10.13.1 so i do not have to use 10.10.13.1 in my local network

0 Kudos
CaseyB
Advisor
a week ago
In response to nooni

The firewall needs to have a route for 192.168.20.1 somewhere if you want it to be a destination, so it would have to be in the encryption domain on the Fortigate side, but then you'd be doing the NAT translation on the Fortigate side.

What problem are you trying to solve here?

0 Kudos
Lesley
MVP Gold
MVP Gold
a week ago
In response to nooni

you need to change the source ip in the nat rule also as stated before. 

the 192.168.20.1 is floating IP and should be attached to fw with proxy arp. 

both real local ip range + local NAT pool should be in local encr domain. You only need to add NAT pool of fortigate in remote peer enc domain, no need for you to know the real ip range there. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
nooni
Collaborator
Collaborator
a week ago
In response to Lesley

Thanks, so 192.168.20.1 should be manually configured on each FW in the cluster, with the external as interface then ?

0 Kudos
Lesley
MVP Gold
MVP Gold
a week ago
In response to nooni

No see it as floating IP, it does not have to be directly configured on the interface. 

With proxy arp firewall will reply if traffic comes in with arp reply. Make the fw aware the floating IP belongs to the firewall. Just like you would do with public NAT if the IP range is routed to the fw and not directly configured on the interface. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
nooni
Collaborator
Collaborator
Thursday
In response to Lesley

So i used the static nat function in the NAT object that should be sufficient.

So the manual NAT rule should look like this ?

Orig SRC 192.168.18.1 Orig DST 192.168.20.1 translated dst 10.10.13.1 ?

the_rock
MVP Gold
MVP Gold
Thursday
In response to nooni

That looks right.

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
a week ago

I believe what Lesley suggested makes sense.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events