- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello everybody!
Sorry if I posted in the wrong place, if I did, can you move my topic to the correct place?
I have a 3600 checkpoint with R81.10 take 335 standalone deployment.
I'm closing a Site to Site VPN with a company.
All networks that I have local were already being used on the company network that I want to close VPN.
So it was necessary to do a NAT, but I never did a NAT this way.
I tried to read the documentation but I couldn't find where I'm wrong.
The topology is as follows.
My business:
192.168.25.32/29
Company X:
Host IP: 10.1.3.115
Host IP: 10.1.3.116
Host IP: 172.22.99.99
I created the NAT rule
Original source: 192.168.100.48 a specific host to test the connection.
Original destination: 10.1.3.115
Original services: any
Translated Source: 192.168.25.33
Translated Destionation: Original
Translated Services: Original
I created the network rule.
Source: 10.1.3.115, 10.1.3.116, 172.22.99.99, 192.168.100.48 and 192.168.25.33
Destination: 10.1.3.115, 10.1.3.116, 172.22.99.99, 192.168.100.48 and 192.168.25.33
VPN:Community_to_company_x
Services & applications: any
Action: Accept
Track: Log
The client informs that the traffic arrives at his firewall, but it arrives with my company's public IP, the right thing would be to arrive with the NAT IP 192.168.25.33, so the firewall drops the packets
Sorry for my english, I'm using google translator
Message in log: Connection terminated before the Security Gateway was able to make a decision: Insufficient data passed.
To learn more see sk113479.
If you can answer this conversation with a print of how to configure it, I would greatly appreciate it
First thing that came to my mind is make sure inside VPN community that nat is not disabled, its option somewhere on the bottom left, under advanced I believe.
have you defined the source and destination networks (VPN Domain) in your VPN:Community_to_company_x ?
I would suggest to involve TAC to resolve this...
Hello,
I use to go through the following step in situations like yours. First check on your logs if the traffic from 192.168.100.48 to destination 10.1.3.115 is being NATed correctly, maybe a higher NAT rule is causing some problem.
If NAT is OK, make sure that you have real IP's and NATed IP's in your local encryption domain, you should have both. If you have it in this way you can go to the third step.
Go to sk108600: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
First check scenario 3, the external interfaces of the Gateway are included implicitly on the encryption. So you have to exclude your external IP address manually editing the crypt.def file according to the sk.
If that don't work you can also try the scenario 1, where you will define your local encryption domain for that peer manually editing the user.def.FW1, i've had cases like yours that were solved with this change and not with the previous.
HTH
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY