This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2022-10-14 01:55 AM

VPN Interoperable object with same IP

Hi All

A quick question, is it possible to have a interoperable object using the same IP? We want to build VPNs to a third party firewall but some different policies / vpn domains behind the same object need to be used.

We have tried this and it seems to have caused some issues, even though the different object is used in different communities.

Many thanks

Labels
0 Kudos
13 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-10-14 01:59 AM

Using the same IP as what else is using ? How to do routing in this situation ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
carl_t
Contributor
‎2022-10-14 02:16 AM
In response to G_W_Albrecht

Hi

The interoperable object is a Cisco ASA FW, we build VPNs to it from our Checkpoint Firewalls.

I have created another object using a different name but the same IP, this is then used in different vpn communities

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-10-14 02:36 AM
In response to carl_t

So how do you expect VPN routing will work in this situation with two identical IPs ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
carl_t
Contributor
‎2022-10-14 02:51 AM
In response to G_W_Albrecht

its from 2 different Checkpoints using 2 different vpn communities and 2 different "named" objects. every other firewall vendor has no issue doing this.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-10-14 03:10 AM
In response to carl_t

Can you provide a topology map? These are 2 different CP GWs and the double IP is not present on one GW, but each has the same IP ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
carl_t
Contributor
‎2022-10-14 03:49 AM
In response to G_W_Albrecht

Hi, see attached diagram, I have made up the IP's for ref only

Preview file
56 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-10-14 04:24 AM
In response to carl_t

And both CP GWs are managed by the same SMS ? Better open a SR# with CP TAC to get to a supported configuration !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2022-10-14 06:00 AM
In response to carl_t

I personally had never seen this done with any vendor before...would love an example of it working.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-14 05:55 AM

I recommend checking with TAC if this is a supported configuration (having two different VPN gateways with same IP).
Pretty sure this won’t work/be supported, though.

0 Kudos
carl_t
Contributor
‎2022-10-14 06:08 AM
In response to PhoneBoy

If its not supported, that means every Checkpoint Gateway is forced to use the same parameters and vpn domains as all the others, this is not flexible at all if this is the case.

With ASA and other vendors you can choose whatever subnets you like to different firewalls using different polices etc

0 Kudos
the_rock
Legend
Legend
‎2022-10-14 06:12 AM
In response to carl_t

With CP, you can always choose different VPN domain for different VPN communities, thats been supported for some time now. Now, obviously, you create separate rules (usually within same policy package) to reflect access needed for each VPN community. 

Are we missing something here?

0 Kudos
RS_Daniel
Advisor
‎2022-10-14 06:13 AM

Hello,

Always that i have faced a situation with duplicated IP addresses TAC told me to avoid that. Many features look for the specific object into the data base using the IP address and it can end using the wrong object.

I think it is possible to get this working, but never had this scenario. I would try adding both remote vpn domains in one interoperable object, lets's say remote vpn domain A and remote vpn domain B. And make sure tunnel sharing is set to "per subnet pair".

Just make sure that on the first checkpoint gateway, the generated traffic is always with destination remote vpn domain A, so in phase two, checkpoint gateway will send the ID's --> "Your_Network - remote vpn domain A", and only that, it will not include remote network B, the ID's are based on the generated traffic. And the same on second checkpoint gateway, only traffic with destination remote vpn domain B should go through this gateway.

Of course you have to manage your internal routing correctly for both remote vpn domains, if these are adjacent networks maybe you will have to edit user.def file to avoid supernetting, take care of NAT, etc, etc. Again it is my personal opinion and never configured something like your scenario. HTH.

Regards

RS_Daniel
Advisor
‎2022-10-14 06:22 AM
In response to RS_Daniel

Forgot the other option that would avoid vpn domain's issues, you can use route based vpn's!!! and keep yourself on a supported configuration as G_W_Albrecht said in case you need TAC assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events