This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fabiofabio
Collaborator
‎2022-04-21 11:40 PM
Jump to solution

Re: internal subnet of a tunnel vpn equal to my internal subnet

sorry if i'm wrong, as i said before i never dealt with nat. But from what I've read, wouldn't a hide nat on their side be enough? so the subnet I want comes directly to me

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2022-04-22 06:24 AM
In response to fabiofabio
Jump to solution

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

View solution in original post

8 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-04-22 12:42 AM
Jump to solution

Always the best solution is to change one of the overlapping networks ! Using NAT is surely possible for a single VPN tunnel, but as soon as more tunnels and more overlapping networks add up, configuration gets harder and harder !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
fabiofabio
Collaborator
‎2022-04-22 12:47 AM
In response to G_W_Albrecht
Jump to solution

Certainly! in fact I have more vpn tunnels and this is the first time that I happen to have to use the nat to work around the problem. So do you recommend using hide nat or static nat? and in what way?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-04-22 12:50 AM
In response to fabiofabio
Jump to solution

I recommend to change the overlapping internal network. The alternative is a lot of headache:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
fabiofabio
Collaborator
‎2022-04-22 01:01 AM
In response to G_W_Albrecht
Jump to solution

in this case, it is a very large subnet, I cannot change it. I will try to convince the supplier to change it, but if it is not even possible on his part, how is it possible to solve with the nat?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-04-22 01:44 AM
In response to fabiofabio
Jump to solution

The alternative is some headache😉:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bob_Zimmerman
Authority
Authority
‎2022-04-22 06:24 AM
In response to fabiofabio
Jump to solution

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

G_W_Albrecht
Legend Legend
Legend
‎2022-04-25 02:21 AM
In response to Bob_Zimmerman
Jump to solution

This works good for two peers in one community, but tends to go more complicated for every peer added.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bob_Zimmerman
Authority
Authority
‎2022-04-25 09:24 AM
In response to G_W_Albrecht
Jump to solution

At least it's a constant complexity overhead per connection to another company. I have about 250 such connections right now, and it's not too bad.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top