This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TOM_MORAN
Contributor
‎2024-12-11 03:00 AM

Site to Site VPN terminate on firewall with no public ip address via external firewall

Hi I need to :

 

1) set up a VPN from AWS to a R81.20

the question is :

can i do a nat of a public ip address to the inner firewalls private ip address.

Using nat t will this allow me to terminate the VPN on the inner firewall & tunnel traffic using ipsec directly to inner ?

The network between the inner & outer are the same /24 network.

I will use sk100726

The documentation suggests this is achievable, has anyone done this  ?

This will allow a significant simplification of routing changes on the internal lan that will be required.

any help is appreciated

 

 

 

Labels
0 Kudos
8 Replies
the_rock
Legend
Legend
‎2024-12-11 05:31 AM

Im fairly sure it is possible, you would just need to do static nat in this case and make sure nat is NOT disabled inside vpn community.

Hey, do you have simple network diagram you can attach? I think that would help us as well.

Andy

0 Kudos
TOM_MORAN
Contributor
‎2024-12-11 05:50 AM
In response to the_rock

apologizes i thought i had attached the diagram

Site to site VPN.jpg
Preview file
31 KB
0 Kudos
the_rock
Legend
Legend
‎2024-12-11 05:56 AM
In response to TOM_MORAN

Got it, yes, np man, we see it now! So essentially, just to make sure, S2S is between AWS and outer CP fw, but connection has to flow all the way to the server itself, which is behind INNER cp fw?

Andy

0 Kudos
TOM_MORAN
Contributor
‎2024-12-11 06:10 AM
In response to the_rock

Hi Andy many thanks.

Normally the VPN would terminate on the physical ip of the outer firewall.

But what i want to do is :

do a static nat public public ip on the outer fw to the inner fw & use that ip as the termination ip site.

If i do that can we tunnel traffic using nat t & ipsec to the inner fw

we don't want to route traffic on the outer fw

0 Kudos
the_rock
Legend
Legend
‎2024-12-11 06:15 AM
In response to TOM_MORAN

K, thats more clear now. Good question actually...so you dont need S2S between outer and inner fw, just to forward it to inner?

Andy

0 Kudos
TOM_MORAN
Contributor
‎2024-12-11 07:11 AM
In response to the_rock

correct connect/forward to inner

0 Kudos
the_rock
Legend
Legend
‎2024-12-11 07:12 AM
In response to TOM_MORAN

I would say as long as rules allow it and routing is there, no reason not to work, as technically, inner firewall would simply "serve" as passthrough (if you will) to reach the final destination.

Andy

0 Kudos
CheckMatesAI
Bot
‎2024-12-11 12:51 PM

This answer is provided by Infinity AI Copilot and should be confirmed by reviewing official documentation in Support Center.

Yes, you can set up a VPN from AWS to an R81.20 firewall without a public IP by using NAT to map a public IP to the inner firewall's private IP. Using NAT-T (NAT Traversal) will allow you to terminate the VPN on the inner firewall and tunnel traffic using IPsec directly to the inner firewall. This setup is supported and can simplify routing changes on your internal LAN.

Here are some key steps to consider:

  1. NAT Configuration: Ensure that the public IP is properly NATed to the private IP of the inner firewall. This will allow the VPN traffic to reach the inner firewall.

  2. NAT-T Configuration: Enable NAT Traversal on your VPN settings to handle the NATed traffic correctly.

  3. VPN Configuration: Follow the guidelines in sk100726 for configuring IPsec VPN between your Check Point Security Gateway and AWS VPC using static routes and Numbered VTI.

  4. Network Configuration: Since the network between the inner and outer firewalls is the same /24 network, ensure that routing and firewall rules are correctly set to allow traffic to flow between these networks.

  5. Testing and Validation: After configuration, test the VPN connection to ensure that traffic is correctly routed and encrypted between AWS and your internal network.

This approach is feasible and has been documented in Check Point's resources, allowing for a streamlined setup. If you encounter any issues, consider revisiting the configuration steps or consulting with Check Point support for further assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top