 | ||
 NAT prevents VPN traffic from using tunnel. | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
 2010-02-24 | |||
| |||
 NAT prevents VPN traffic from using tunnel. I've always had the NAT on our FW set up the following way: Our internal LAN object is set to use Automatic Address Translation rules to hide behind an external IP address and it's set to Install on Gateway: *All. I'm not sure this is the right way to set it up, but that's how it is. So now, when I attempt to route internal traffic over our VPN (Cisco 3005) which is located on our DMZ, the VPN refuses to send the traffic over the tunnels because our internal addresses are being NATed to external addresses and don't match up with the other end of the tunnel. I'm trying to create a rule that prevents the internal addys from being NATed. Is this possible or because of the way I have things set up (see above) do I need to change things around?  |
| 2010-02-24 | |||
| |||
| Re: NAT prevents VPN traffic from using tunnel. Yes, the automatic NAT rules will hit first. You can disable NAT for a VPN community: SmartDashboard -> IPSec VPN -> Community Properties -> Advanced Settings -> Advanced VPN Properties -> Disable NAT inside the VPN Community That should take precedence over the Auto-NAT rules. __________________ Its all in the documentation. |
| 2010-02-24 | |||
| |||
| Re: NAT prevents VPN traffic from using tunnel. I believe from your description that the VPN is terminated upon the Cisco3005Concentrator, which is located on the DMZ then the community trick doesn't work as that is for when the VPN is terminated upon the Check Point. If the VPN is from the Check Point to the Cisco 3005 then that will work fine. If however the VPN terminates upon the Cisco 3005 and is off to another device for the VPN then what you do is as follows. All you need to do is create a NAT rule at the top of the NAT section. Src=Internal_Network Dst=Far_End_VPN_Tunnel_Network Srv=Any xlateSrc=Original xlateDst=Original xlateSrv=Original This will ensure that any traffic going from the Internal Network, with a destination of the far end of the VPN tunnel is not Address Translated as you tell it to keep the Src as Original. As the traffic hits that NAT rule as it is at the top then the Automatic NAT rule is not encountered. Traffic to the Internet or other destinations does not hit the No NAT rule and so the traffic is still NATted. |
|
| Tags |
| dmz, nat external, vpn |
| Thread Tools | Search this Thread |
| Display Modes | |
| |
Linear Mode
