This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Karen_Foster
Participant
‎2019-12-14 09:16 AM
Jump to solution

VPN with gateway as passthrough from cloud service to customer who requires public IP from cloud pro

We have two VPN tunnels; one is a bidirectional between us and a Cloud Service and the other is a one way between us and a customer with the traffic originating on our side of the tunnel. We need to be able to, either create a bi-directional tunnel between us and our customer, or a second tunnel with the traffic originating on the customer's side which can communicate with the Cloud Service. The current one-way tunnel between us and our customer has our external IP address defined on the gateway, but our customer is requiring us to assign another public IP address for the Cloud Service's traffic before they will allow traffic from their side through our side, then out to cloud. I am at a loss as to how to make this happen. The Cloud Service does not provide public IPs to use. Does this make sense? If so, how would I accomplish this and be able to have the traffic route properly? I have included a simple diagram to help explain the flow.

 

VPN-Traffic-Public.jpg

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-12-16 08:38 AM
In response to Karen_Foster
Jump to solution

You could theoretically add the customer to your existing community, assuming they can set their encryption settings to match the existing community.
Whatever IP you're using to access the cloud service over the VPN from your end now could then be used by the customer.
That assumes no overlapping IPs being used and the appropriate rules are in place.
Otherwise, you'll need an IP that isn't being used on the customer side that can be NATted to the cloud service.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-12-14 08:43 PM
Jump to solution

Without knowing anything about the nature of this traffic that's supposed to go from your customer to this cloud service, it's hard to say if this will even work much less whether a truly public IP will be required.

Assuming it's something simple like HTTPS, all that should be needed is an IP they're not using on their end.
They could even use the IP of the cloud service in question.
0 Kudos
Karen_Foster
Participant
‎2019-12-16 06:09 AM
In response to PhoneBoy
Jump to solution

PhoneBoy,

Assume https traffic.

1. The VPN connected to the cloud service is a Star topology with different encryption specifications than the tunnel with the client which is meshed, would I be able to add the client gateway and the cloud gateway to the same community? Because the tunnels are already established do I need to do anything further to route traffic from the client tunnel through our center gateway to the cloud tunnel assuming we can provide them with a public IP from the cloud provider? The VPN routing on the cloud tunnel is set to "To center or through the center to other .....".

2. If the cloud provider can not furnish a public IP (other than the one I have connected to the cloud tunnel), what are my other options? 

 

Thank you for help

0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-16 08:38 AM
In response to Karen_Foster
Jump to solution

You could theoretically add the customer to your existing community, assuming they can set their encryption settings to match the existing community.
Whatever IP you're using to access the cloud service over the VPN from your end now could then be used by the customer.
That assumes no overlapping IPs being used and the appropriate rules are in place.
Otherwise, you'll need an IP that isn't being used on the customer side that can be NATted to the cloud service.
0 Kudos
Karen_Foster
Participant
‎2019-12-16 01:30 PM
In response to PhoneBoy
Jump to solution

Thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events