AnsweredAssumed Answered

Explicit NAT exclusion statements when defining a VPN domain?

Question asked by Michael Ibarra on Jan 4, 2019
Latest reply on Jan 14, 2019 by Michael Ibarra

Hi everyone,

 

We have two locations--a corporate HQ and a remote datacenter--connected by a private fiber link, presently. We have a pair of 13800s in active/standby ClusterXL mode in the data center. Our policy for the 13800s has various NAT exclusions, keeping the original source address the same as traffic leaves the gateway and heads for other destination networks at the corporate HQ. We have a pair of Cisco ASAs in our corporate HQ, just to keep things interesting  

 

We will soon be moving to a VPN tunnel between these sites, delivered over the open Internet, and will therefore be defining a VPN domain on each gateway within the VPN community (for us, that will be just the center gateway in the data center and the satellite gateway at the corporate HQ site).

 

My question is whether or not we need to keep these existing NAT exclusion statements within our NAT policy even if we are defining nearly the same networks within the VPN domain on each gateway object.

 

I've been using the following SK for help on this: How to set up a Site-to-Site VPN with a 3rd-party remote gateway. The guide doesn't require NAT exclusion statements along with the VPN domains defined, so I'm thinking I do not need them, but I wanted to ask anyone out there who has been through this already. (On a different note, these VPN domains must match between those defined on the Check Point environment and those defined within the Cisco ASAs--otherwise, IKE phase 2 will not establish.)

 

Any help you can provide is greatly appreciated. Thank you very much in advance.

Outcomes