Re: VPN Interoperable object with same IP

carl_t · ‎2022-10-14

Hi All

A quick question, is it possible to have a interoperable object using the same IP? We want to build VPNs to a third party firewall but some different policies / vpn domains behind the same object need to be used.

We have tried this and it seems to have caused some issues, even though the different object is used in different communities.

Many thanks

G_W_Albrecht · ‎2022-10-14

Using the same IP as what else is using ? How to do routing in this situation ?

CCSE CCTE CCSM SMB Specialist

carl_t · ‎2022-10-14

Hi

The interoperable object is a Cisco ASA FW, we build VPNs to it from our Checkpoint Firewalls.

I have created another object using a different name but the same IP, this is then used in different vpn communities

G_W_Albrecht · ‎2022-10-14

So how do you expect VPN routing will work in this situation with two identical IPs ?

CCSE CCTE CCSM SMB Specialist

carl_t · ‎2022-10-14

its from 2 different Checkpoints using 2 different vpn communities and 2 different "named" objects. every other firewall vendor has no issue doing this.

G_W_Albrecht · ‎2022-10-14

Can you provide a topology map? These are 2 different CP GWs and the double IP is not present on one GW, but each has the same IP ?

CCSE CCTE CCSM SMB Specialist

carl_t · ‎2022-10-14

Hi, see attached diagram, I have made up the IP's for ref only

G_W_Albrecht · ‎2022-10-14

And both CP GWs are managed by the same SMS ? Better open a SR# with CP TAC to get to a supported configuration !

CCSE CCTE CCSM SMB Specialist

the_rock · ‎2022-10-14

I personally had never seen this done with any vendor before...would love an example of it working.

PhoneBoy · ‎2022-10-14

I recommend checking with TAC if this is a supported configuration (having two different VPN gateways with same IP).
Pretty sure this won’t work/be supported, though.

carl_t · ‎2022-10-14

If its not supported, that means every Checkpoint Gateway is forced to use the same parameters and vpn domains as all the others, this is not flexible at all if this is the case.

With ASA and other vendors you can choose whatever subnets you like to different firewalls using different polices etc

the_rock · ‎2022-10-14

With CP, you can always choose different VPN domain for different VPN communities, thats been supported for some time now. Now, obviously, you create separate rules (usually within same policy package) to reflect access needed for each VPN community.

Are we missing something here?

RS_Daniel · ‎2022-10-14

Hello,

Always that i have faced a situation with duplicated IP addresses TAC told me to avoid that. Many features look for the specific object into the data base using the IP address and it can end using the wrong object.

I think it is possible to get this working, but never had this scenario. I would try adding both remote vpn domains in one interoperable object, lets's say remote vpn domain A and remote vpn domain B. And make sure tunnel sharing is set to "per subnet pair".

Just make sure that on the first checkpoint gateway, the generated traffic is always with destination remote vpn domain A, so in phase two, checkpoint gateway will send the ID's --> "Your_Network - remote vpn domain A", and only that, it will not include remote network B, the ID's are based on the generated traffic. And the same on second checkpoint gateway, only traffic with destination remote vpn domain B should go through this gateway.

Of course you have to manage your internal routing correctly for both remote vpn domains, if these are adjacent networks maybe you will have to edit user.def file to avoid supernetting, take care of NAT, etc, etc. Again it is my personal opinion and never configured something like your scenario. HTH.

Regards

RS_Daniel · ‎2022-10-14

Forgot the other option that would avoid vpn domain's issues, you can use route based vpn's!!! and keep yourself on a supported configuration as G_W_Albrecht said in case you need TAC assistance.

Are you a member of CheckMates?

VPN Interoperable object with same IP