This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DFR_
Explorer
‎2019-06-24 08:16 AM
Jump to solution

Site-Site Tunnel with NAT to a second Tunnel

Hello all,

I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.
I'm used to work with palo and asa devices, so I might be missing something here.

This is the basic layout:

Untitled.png

 

Due to whatever policies, 10.13.1.x can't be connected directly to 1.1.1.1, so the solution was to create the tunnel between devices 1 and 2.

Device 1 is a Fortinet that I have no control over.
The tunnel between device 2 and 10.13.1.x already exists and is ok.

I have assigned 172.31.221.201 to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from 10.13.1.11 to 172.31.201.82

Phase 1 is ok,  but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?

Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?

Thank you for any help you provide.

0 Kudos
1 Solution

Accepted Solutions
DFR_
Explorer
‎2019-08-13 06:47 AM
In response to PhoneBoy
Jump to solution

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-06-26 07:33 PM
Jump to solution

What is the encryption domain defined as on your Gateway?
It should include ALL the subnets that need to communicate with the remote peer.
0 Kudos
DFR_
Explorer
‎2019-08-13 06:47 AM
In response to PhoneBoy
Jump to solution

It wasn't solved, but thank you for the reply,

I had people with CheckPoint certs look at the config and nothing seemed wrong, but it wouldn't work as intended.

In the end, a few quirks like this one became deal breakers for the techs on the client team, so we replaced that demo device with something else they were more familiar with.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events