This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
Advisor
‎2023-02-20 08:33 AM
Jump to solution

VPN Site-to-Site with NAT

Hello Mates!

Could you please help me with a question?

 

I need to configure a Site-to-Site VPN, but for the remote peer (my partner site), a single IP address must arrive and not my entire subnet or subnet group.

For example: I have an 172.16.1.0/24 subnet, but my partner requires that this subnet arrives through the 192.168.1.10 IP.

May I have to put this single IP on VPN domain community by my side? How can I configure that on Check Point solution? And how can I confirm that is working fine?

Thank you!

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-02-21 07:30 AM
Jump to solution

Your encryption domain must include the “traffic to encrypt” which would be your local subnet.
You configure a manual NAT rule to translate your subnet when communicating to their encryption domain to the relevant IP (hide or source NAT depending on requirement).

View solution in original post

the_rock
MVP Platinum
MVP Platinum
‎2023-02-21 08:46 AM
Jump to solution

Also, to add to what @PhoneBoy said, make sure option for NAT inside VPN community (I believe last tab on the left at the bottom) is not checked where it says "Disable NAT inside VPN community" and then simply create manual NAT rule to reflect changes you want.

Andy

Best,
Andy

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2023-02-21 07:30 AM
Jump to solution

Your encryption domain must include the “traffic to encrypt” which would be your local subnet.
You configure a manual NAT rule to translate your subnet when communicating to their encryption domain to the relevant IP (hide or source NAT depending on requirement).

the_rock
MVP Platinum
MVP Platinum
‎2023-02-21 08:46 AM
Jump to solution

Also, to add to what @PhoneBoy said, make sure option for NAT inside VPN community (I believe last tab on the left at the bottom) is not checked where it says "Disable NAT inside VPN community" and then simply create manual NAT rule to reflect changes you want.

Andy

Best,
Andy
PhoneBoy
Admin
Admin
‎2023-02-21 09:08 AM
In response to the_rock
Jump to solution

That's an important option that I forget exists...and yet can still recall setting up VPNs in Traditional Mode 🙂

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-02-21 09:30 AM
In response to PhoneBoy
Jump to solution

No matter what, you are ALWAYS going to be CP guru 🙌

Best,
Andy
0 Kudos
Bernardes
Advisor
Advisor
‎2023-02-22 04:01 PM
Jump to solution

@the_rock  @PhoneBoy thank you so much for your help. I can configure successfully the VPN site-to-site with NAT so that the remote site receives just only one IP, no mattering which device was connected on my side.

the_rock
MVP Platinum
MVP Platinum
‎2023-02-23 04:24 AM
In response to Bernardes
Jump to solution

Glad it helped you.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events