Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bezze87
Explorer
Jump to solution

Routing beetwen VPN with NAT

Good Morning all, 

I'm facing a problem routing traffic between two vpn, because in one i need to NAT all the objects. My checkpoint gateway is the one in the middle between different brand's firewalls. 

VPN_A is a domain based VPN. 
peer_A network_A: 172.29.70.0/24

nat_network to use: 172.29.71.0/24 

different object behind my_gateway natted one to one: 

1) 10.10.4.34 -- natted 172.29.71.34

2) 10.11.4.47 -- natted 172.29.71.47

other object behind peer_B natted one to one: 

3) 10.200.4.33 -- natted 172.29.71.33

 

VPN_B is a domain based VPN

peer_B network : 10.200.4.0/23

 

When i try comunication from host 1 or 2 no problem also from network_A no problem with host 1 or 2

When i try comunication from host 3 no problem to reach host on network_A  the opposite from network_A i cannot reach host 3. 

As you see in the image attached: 

1) is the comunication going correctly from host_3 to an object of network_A

2) is reverse comunication that is blocked on my gateway and isn't routed throught VPN_B. 

R81.10-SmartConsole-VPN.png

 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Bezze87
Explorer

Hi PhoneBoy,
thank you for the reply. 

1) The VPN Communities are settled as star communities. 

VPN Routing: last option To center or thro... , internet and other VPN targets. 

2) ON the encription domain of peer_A  i have: only 172.29.70.0/24 - 172.29.71.0/24                                                                             from my side with peer_A i have: 172.29.71.0/24, and the single host 10.10.4.34, 10.11.1.47, 10.200.4.33

On the encription domain of peer_B they have add 172.29.70.0/24 and other network.... 
from my side with peer_B i have add 172.29.70.0/24 and other network... 

3) NAT is done by me versus peer_A with this network 172.29.71.0/24

In the mean time we had tried a lot and probably we achive a solution:

First we tried to add on the encription domain of peer_A also the network of peer_B 10.200.4.0/23 (so we connect directly the single host 10.200.4.33 without nat) everythings worked fine.  So we were sure that's the problem was NAT done by me. 

We split the NAT network into two networks: 172.29.71.0/25 and 172.29.71.128/25; we used the first network for nat host and device behind my gateway and the second one for nat host behind peer_B. But now it’s peer_B that is natting the hosts behind itself (10.200.4.33) so the package from peer_B is already NATTED and my checkpoint just reroutes through VPN.

Seem that's this is the way, as you see this are the last attempt

1) host (behind peer_B) 10.200.4.33 natted 172.29.71.129  that's is comunicating with network_A 172.29.70.0/24 working fine

2) host (behind peer_A) 172.29.70.32 that's is comunicating with the host 172.29.71.129 (behind peer_B) it's not working but

My checkpoint gateway re-route correctly in the vpn communities of peer_B ( and this wasn't done before). 

R81.10-SmartConsole-VPN2.png

I think that's now is just a misconfiguration on peer_B this are the detail of the third log: 

R81.10-SmartConsole-VPN3.png

 

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

How are the VPN communities set up here?
How are the encryption domains set up, particularly on the third party devices?
Who is doing that NAT here? (third party or you)

peer_A and peer_B will need to account for the NAT that needs to occur.

0 Kudos
Bezze87
Explorer

Hi PhoneBoy,
thank you for the reply. 

1) The VPN Communities are settled as star communities. 

VPN Routing: last option To center or thro... , internet and other VPN targets. 

2) ON the encription domain of peer_A  i have: only 172.29.70.0/24 - 172.29.71.0/24                                                                             from my side with peer_A i have: 172.29.71.0/24, and the single host 10.10.4.34, 10.11.1.47, 10.200.4.33

On the encription domain of peer_B they have add 172.29.70.0/24 and other network.... 
from my side with peer_B i have add 172.29.70.0/24 and other network... 

3) NAT is done by me versus peer_A with this network 172.29.71.0/24

In the mean time we had tried a lot and probably we achive a solution:

First we tried to add on the encription domain of peer_A also the network of peer_B 10.200.4.0/23 (so we connect directly the single host 10.200.4.33 without nat) everythings worked fine.  So we were sure that's the problem was NAT done by me. 

We split the NAT network into two networks: 172.29.71.0/25 and 172.29.71.128/25; we used the first network for nat host and device behind my gateway and the second one for nat host behind peer_B. But now it’s peer_B that is natting the hosts behind itself (10.200.4.33) so the package from peer_B is already NATTED and my checkpoint just reroutes through VPN.

Seem that's this is the way, as you see this are the last attempt

1) host (behind peer_B) 10.200.4.33 natted 172.29.71.129  that's is comunicating with network_A 172.29.70.0/24 working fine

2) host (behind peer_A) 172.29.70.32 that's is comunicating with the host 172.29.71.129 (behind peer_B) it's not working but

My checkpoint gateway re-route correctly in the vpn communities of peer_B ( and this wasn't done before). 

R81.10-SmartConsole-VPN2.png

I think that's now is just a misconfiguration on peer_B this are the detail of the third log: 

R81.10-SmartConsole-VPN3.png

 

0 Kudos
PhoneBoy
Admin
Admin

It’s definitely better to have the NAT done by the VPN peers.
In any case, the encryption domain on your gateway for Peer_A and Peer_B need to include the NAT addresses.

(1)
Bezze87
Explorer

Finally work's 😄 


0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events