Thread: B2B VPNs and NAT to Public IPs
View Single Post
  #1 (permalink)  
Old 2006-09-21
runcmd runcmd is offline
Member
  
Join Date: 2006-02-21
Location: 127.0.0.1
Posts: 56
Rep Power: 3
runcmd has an average reputation (10+)
Default B2B VPNs and NAT to Public IPs
Being fairly new to B2B VPNs, I have limited experience--I setup one in the past that was pretty straight forward, which did not require a NAT. Now I must establish a B2B VPN (Star Topology) with a site whose internal network conflicts with a private IP range in use on my network.

Details: Both sides are running CheckPoint R55. The VPN will only include one or two computers in each of the two encryption domains. In order to make things simpler for myself, I would like the other site to purchase public IPs for the NAT. I'm thinking that by having them purchase a public IP to NAT behind, we will avoid any private IP conflicts in the future. (Is this a good proposal?) However, their technical person states that they can avoid purchasing additional public IPs, and avoid creating a NAT to another Private IP range, by using a NAT of the following configuration on their side...

Code:
RULE:
+----------+-------------+--------+---------+--------+
|  Source  | Destination |  VPN   | Service | Action |
+----------+-------------+--------+---------+--------+
| Lan      | EncDmn      | TheVPN | * Any   | accept |
+----------+-------------+--------+---------+--------+

ADDRESS TRANSLATION:
+--------------------------------+------------------------------------+
|        Original Packet         |         Translated Packet          |
+--------+-------------+---------+---------+-------------+------------+
| Source | Destination | Service | Source  | Destination | Service    |
+--------+-------------+---------+---------+-------------+------------+
| Lan    | EncDmn      | * Any   | Gateway | = Original  | = Original |
+--------+-------------+---------+---------+-------------+------------+
The way I understand the above...
Lan = Their Network Object
EncDmn = My Participating Nodes
Gateway = Appears to be a CheckPoint gateway?

They did not include information on how the "LAN" NAT is defined inside the object properties. Neither did they include any IP information on what they intend to use for the NAT. What I don't understand from this picture is the translated packet. Why is the source a gateway? Are they actually using the public IP address of their gateway for the NAT? Can you do that? Due to the lack of more thorough information, am I being snowed?
Reply With Quote