Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DFR_
Explorer
Jump to solution

Site-Site Tunnel with NAT to a second Tunnel

Hello all,

I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.
I'm used to work with palo and asa devices, so I might be missing something here.

This is the basic layout:

Untitled.png

 

Due to whatever policies, 10.13.1.x can't be connected directly to 1.1.1.1, so the solution was to create the tunnel between devices 1 and 2.

Device 1 is a Fortinet that I have no control over.
The tunnel between device 2 and 10.13.1.x already exists and is ok.

I have assigned 172.31.221.201 to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from 10.13.1.11 to 172.31.201.82

Phase 1 is ok,  but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?

Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?

Thank you for any help you provide.

0 Kudos
2 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events