- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: VPN Interoperable object with same IP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Interoperable object with same IP
Hi All
A quick question, is it possible to have a interoperable object using the same IP? We want to build VPNs to a third party firewall but some different policies / vpn domains behind the same object need to be used.
We have tried this and it seems to have caused some issues, even though the different object is used in different communities.
Many thanks
- Labels:
-
Site to Site VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the same IP as what else is using ? How to do routing in this situation ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
The interoperable object is a Cisco ASA FW, we build VPNs to it from our Checkpoint Firewalls.
I have created another object using a different name but the same IP, this is then used in different vpn communities
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how do you expect VPN routing will work in this situation with two identical IPs ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
its from 2 different Checkpoints using 2 different vpn communities and 2 different "named" objects. every other firewall vendor has no issue doing this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide a topology map? These are 2 different CP GWs and the double IP is not present on one GW, but each has the same IP ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, see attached diagram, I have made up the IP's for ref only
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And both CP GWs are managed by the same SMS ? Better open a SR# with CP TAC to get to a supported configuration !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I personally had never seen this done with any vendor before...would love an example of it working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recommend checking with TAC if this is a supported configuration (having two different VPN gateways with same IP).
Pretty sure this won’t work/be supported, though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If its not supported, that means every Checkpoint Gateway is forced to use the same parameters and vpn domains as all the others, this is not flexible at all if this is the case.
With ASA and other vendors you can choose whatever subnets you like to different firewalls using different polices etc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With CP, you can always choose different VPN domain for different VPN communities, thats been supported for some time now. Now, obviously, you create separate rules (usually within same policy package) to reflect access needed for each VPN community.
Are we missing something here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Always that i have faced a situation with duplicated IP addresses TAC told me to avoid that. Many features look for the specific object into the data base using the IP address and it can end using the wrong object.
I think it is possible to get this working, but never had this scenario. I would try adding both remote vpn domains in one interoperable object, lets's say remote vpn domain A and remote vpn domain B. And make sure tunnel sharing is set to "per subnet pair".
Just make sure that on the first checkpoint gateway, the generated traffic is always with destination remote vpn domain A, so in phase two, checkpoint gateway will send the ID's --> "Your_Network - remote vpn domain A", and only that, it will not include remote network B, the ID's are based on the generated traffic. And the same on second checkpoint gateway, only traffic with destination remote vpn domain B should go through this gateway.
Of course you have to manage your internal routing correctly for both remote vpn domains, if these are adjacent networks maybe you will have to edit user.def file to avoid supernetting, take care of NAT, etc, etc. Again it is my personal opinion and never configured something like your scenario. HTH.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot the other option that would avoid vpn domain's issues, you can use route based vpn's!!! and keep yourself on a supported configuration as G_W_Albrecht said in case you need TAC assistance.