CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 3 of 3

Thread: site to site vpn

  1. #1
    Join Date
    2017-01-31
    Posts
    1
    Rep Power
    0

    Default site to site vpn

    Hi,

    I am setting up a site to site vpn

    Customer and our company are using same subnet 10.x.x.0/24,Hence overlapping with the subnet.

    So I need to NAT the IP subnet with the Virtual IP subnet

    could you please guide me with the step by step settings

    I just want to create a New NAT rule.how do I do that?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    636
    Rep Power
    5

    Default Re: site to site vpn

    You'll decide/agree with remote side about what network you'll use to hide your network.
    E.g.
    - local network 10.x.x.0/24
    - new network that you will hide 10.x.x.0/2 will be 10.z.z.0/24
    - new network 10.y.y.0/24 that you will access on the client side - client will also have to per
    - add 10.z.z.0/24 on the ED of your equipment
    - add 10.y.y.0/24 on the ED of the object you'll create for the remote site
    - create a NAT rule src: 10.x.x.0/24 to dst: 10.y.y.0/24, hide it with 10.z.z.0/24 and keep destination "as Original"
    - create an accept/IPSEC rule 10.z.z.0/24 towards 10.y.y.0/24

  3. #3
    Join Date
    2007-06-04
    Posts
    3,244
    Rep Power
    15

    Default Re: site to site vpn

    Heres what need to do

    In this case will work based on both yourself and the 3rd party having 10.10.10.0/24 as the Network at each location

    What you need to do is as follows

    Agree with 3rd Party that you will NAT your Encryption Domain to 10.10.11.0/24 and that they will NAT there Encryption Domain behind 10.10.12.0/24. Obviously substitute for what you actually use.

    You should then define the 3rd Party VPN Gateway with an Encryption Domain of 10.10.12.0/24
    You should define a new Network for 10.10.11.0/24 and add that to your Encryption Domain so your Local Encryption Domain is 10.10.10.0/24 AND 10.10.11.0/24.

    You then need to write the rules for the traffic so that

    YOU to Third Party =

    Source = 10.10.10.0/24 Dest = 10.10.12.0/24

    Third Party to YOU =

    Source = 10.10.12.0/24 Dest = 10.10.11.0/24

    You then need to write the NAT Rules

    Source = 10.10.10.0/24 Dest = 10.10.12.0./24, xlateSource(Static) = 10.10.11.0/24 xlateDest = Original
    Source = 10.10.12.0/24 Dest = 10.10.11.0/24 xlateSource = Original xlateDest(Static) = 10.10.10.0/24

    The Third Party will have to handle the NAT of the 10.10.12.0/24 with the 10.10.10.0/24 at there Gateway, you cannot just NAT your IP and then try and send to 10.10.10.0/24 over the VPN still.

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. Will changing gateway IP break site-to-site IPSec VPNs?
    By Surge in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2014-02-14, 06:50
  3. Replies: 4
    Last Post: 2013-10-25, 14:55
  4. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  5. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •