View Full Version : How to configure site-to-site VPN between networks with same IP addressing scheme

2008-04-22, 05:03
As the subject title, i tried to search in checkpoint and got below SK#.

Solution ID: sk12870

But, unfortunately, i can't download it and even our vendor has same result. Is there any one has idea on how to set it? I need to setup in ASAP.

My CheckPoint is R55P.

2008-04-22, 12:17
There has been a problem with authentication on the UC. PM me with your e-mail address and I'll send you a copy.

2008-04-22, 21:10
I did PM to you. Please check. Thanks.

2008-04-24, 05:26
got the file but can't open it.

2008-04-24, 09:29
Cannot open :-<

2008-04-27, 07:16
Same problem with the copy I downloaded. For anyone that asked me to send it to them, I'm in the same boat as you. Sorry.

2008-04-28, 03:15
Nevermind. But do you have a experience to configure it before? For my case,
I just need to do the Source NAT rather both Source and Destination NAT.

Under the VPN tunnel, how to do that? I will use Manual NAT. Proxy is required to configure?

Any steps on it?

2008-04-28, 04:12
If you have an overlapping IP scheme then how can you only need to do a Src NAT as surely the destination packet would be a local IP address.

If the other end is a 3rd party and is already NATting the destination for you to there internal that overlaps with you, then you are communicating with a non-overlap as you talk to there NAT address.

If however you only need to do a src nat then you do the same as any other NAT.

Define a new network address the same size but different subnet as your internal network.

Src = internal_net
Dst = Remote_VPN_Net

xlatesrc = S(new_net)
Dst = Original

This will nat 1 to 1 from the internal net to the new network range.

2008-04-28, 10:55
I think i need to clarify clearly.

We form a VPN with a 3rd party gateway. But our internal source IP is conflict with other. So for the VPN site-to-site, i need to do a SNAT.

2008-04-29, 04:40
as mcnallym said set up the NAT on you side so all traffic from your internal network to the other party vpn network is NAT-ed.

Other party should set your NAT-ed network as "encryption domain" for you gateway and not your internal network.

So, on your side
NAT: int_net->remote_vpn_net->source(new non-conflicting net)->dst original

On remote party side they should define:
Your gateway as VPN peer
Encryption domain/ID - your new non-conflicint net you are hiding your real net behind.

2008-04-29, 23:50
Thanks a lot. But i will use manual SNAT. Should i add the Proxy arp in my nokia box?