CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 3 of 3

Thread: site to site vpn

  1. #1
    Join Date
    Rep Power

    Default site to site vpn


    I am setting up a site to site vpn

    Customer and our company are using same subnet 10.x.x.0/24,Hence overlapping with the subnet.

    So I need to NAT the IP subnet with the Virtual IP subnet

    could you please guide me with the step by step settings

    I just want to create a New NAT rule.how do I do that?

  2. #2
    Join Date
    Rep Power

    Default Re: site to site vpn

    You'll decide/agree with remote side about what network you'll use to hide your network.
    - local network 10.x.x.0/24
    - new network that you will hide 10.x.x.0/2 will be 10.z.z.0/24
    - new network 10.y.y.0/24 that you will access on the client side - client will also have to per
    - add 10.z.z.0/24 on the ED of your equipment
    - add 10.y.y.0/24 on the ED of the object you'll create for the remote site
    - create a NAT rule src: 10.x.x.0/24 to dst: 10.y.y.0/24, hide it with 10.z.z.0/24 and keep destination "as Original"
    - create an accept/IPSEC rule 10.z.z.0/24 towards 10.y.y.0/24

  3. #3
    Join Date
    Rep Power

    Default Re: site to site vpn

    Heres what need to do

    In this case will work based on both yourself and the 3rd party having as the Network at each location

    What you need to do is as follows

    Agree with 3rd Party that you will NAT your Encryption Domain to and that they will NAT there Encryption Domain behind Obviously substitute for what you actually use.

    You should then define the 3rd Party VPN Gateway with an Encryption Domain of
    You should define a new Network for and add that to your Encryption Domain so your Local Encryption Domain is AND

    You then need to write the rules for the traffic so that

    YOU to Third Party =

    Source = Dest =

    Third Party to YOU =

    Source = Dest =

    You then need to write the NAT Rules

    Source = Dest =, xlateSource(Static) = xlateDest = Original
    Source = Dest = xlateSource = Original xlateDest(Static) =

    The Third Party will have to handle the NAT of the with the at there Gateway, you cannot just NAT your IP and then try and send to over the VPN still.

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. Will changing gateway IP break site-to-site IPSec VPNs?
    By Surge in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2014-02-14, 06:50
  3. Replies: 4
    Last Post: 2013-10-25, 14:55
  4. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  5. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts