Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
carl_t
Contributor

VPN Interoperable object with same IP

Hi All

A quick question, is it possible to have a interoperable object using the same IP? We want to build VPNs to a third party firewall but some different policies / vpn domains behind the same object need to be used.

We have tried this and it seems to have caused some issues, even though the different object is used in different communities.

Many thanks

0 Kudos
13 Replies
G_W_Albrecht
Legend Legend
Legend

Using the same IP as what else is using ? How to do routing in this situation ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
carl_t
Contributor

Hi

The interoperable object is a Cisco ASA FW, we build VPNs to it from our Checkpoint Firewalls.

I have created another object using a different name but the same IP, this is then used in different vpn communities

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So how do you expect VPN routing will work in this situation with two identical IPs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
carl_t
Contributor

its from 2 different Checkpoints using 2 different vpn communities and 2 different "named" objects. every other firewall vendor has no issue doing this.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Can you provide a topology map? These are 2 different CP GWs and the double IP is not present on one GW, but each has the same IP ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
carl_t
Contributor

Hi, see attached diagram, I have made up the IP's for ref only

0 Kudos
G_W_Albrecht
Legend Legend
Legend

And both CP GWs are managed by the same SMS ? Better open a SR# with CP TAC to get to a supported configuration !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

I personally had never seen this done with any vendor before...would love an example of it working.

0 Kudos
PhoneBoy
Admin
Admin

I recommend checking with TAC if this is a supported configuration (having two different VPN gateways with same IP).
Pretty sure this won’t work/be supported, though.

0 Kudos
carl_t
Contributor

If its not supported, that means every Checkpoint Gateway is forced to use the same parameters and vpn domains as all the others, this is not flexible at all if this is the case.

With ASA and other vendors you can choose whatever subnets you like to different firewalls using different polices etc

0 Kudos
the_rock
Legend
Legend

With CP, you can always choose different VPN domain for different VPN communities, thats been supported for some time now. Now, obviously, you create separate rules (usually within same policy package) to reflect access needed for each VPN community. 

Are we missing something here?

0 Kudos
RS_Daniel
Advisor

Hello,

Always that i have faced a situation with duplicated IP addresses TAC told me to avoid that. Many features look for the specific object into the data base using the IP address and it can end using the wrong object.

I think it is possible to get this working, but never had this scenario. I would try adding both remote vpn domains in one interoperable object, lets's say remote vpn domain A and remote vpn domain B. And make sure tunnel sharing is set to "per subnet pair".

Just make sure that on the first checkpoint gateway, the generated traffic is always with destination remote vpn domain A, so in phase two, checkpoint gateway will send the ID's --> "Your_Network - remote vpn domain A", and only that, it will not include remote network B, the ID's are based on the generated traffic. And the same on second checkpoint gateway, only traffic with destination remote vpn domain B should go through this gateway.

Of course you have to manage your internal routing correctly for both remote vpn domains, if these are adjacent networks maybe you will have to edit user.def file to avoid supernetting, take care of NAT, etc, etc. Again it is my personal opinion and never configured something like your scenario. HTH.

Regards

RS_Daniel
Advisor

Forgot the other option that would avoid vpn domain's issues, you can use route based vpn's!!! and keep yourself on a supported configuration as G_W_Albrecht said in case you need TAC assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events