CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of R80.10.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 3 of 3

Thread: site to site vpn

  1. #1
    Join Date
    2017-01-31
    Posts
    1
    Rep Power
    0

    Default site to site vpn

    Hi,

    I am setting up a site to site vpn

    Customer and our company are using same subnet 10.x.x.0/24,Hence overlapping with the subnet.

    So I need to NAT the IP subnet with the Virtual IP subnet

    could you please guide me with the step by step settings

    I just want to create a New NAT rule.how do I do that?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    555
    Rep Power
    4

    Default Re: site to site vpn

    You'll decide/agree with remote side about what network you'll use to hide your network.
    E.g.
    - local network 10.x.x.0/24
    - new network that you will hide 10.x.x.0/2 will be 10.z.z.0/24
    - new network 10.y.y.0/24 that you will access on the client side - client will also have to per
    - add 10.z.z.0/24 on the ED of your equipment
    - add 10.y.y.0/24 on the ED of the object you'll create for the remote site
    - create a NAT rule src: 10.x.x.0/24 to dst: 10.y.y.0/24, hide it with 10.z.z.0/24 and keep destination "as Original"
    - create an accept/IPSEC rule 10.z.z.0/24 towards 10.y.y.0/24

  3. #3
    Join Date
    2007-06-04
    Posts
    3,201
    Rep Power
    14

    Default Re: site to site vpn

    Heres what need to do

    In this case will work based on both yourself and the 3rd party having 10.10.10.0/24 as the Network at each location

    What you need to do is as follows

    Agree with 3rd Party that you will NAT your Encryption Domain to 10.10.11.0/24 and that they will NAT there Encryption Domain behind 10.10.12.0/24. Obviously substitute for what you actually use.

    You should then define the 3rd Party VPN Gateway with an Encryption Domain of 10.10.12.0/24
    You should define a new Network for 10.10.11.0/24 and add that to your Encryption Domain so your Local Encryption Domain is 10.10.10.0/24 AND 10.10.11.0/24.

    You then need to write the rules for the traffic so that

    YOU to Third Party =

    Source = 10.10.10.0/24 Dest = 10.10.12.0/24

    Third Party to YOU =

    Source = 10.10.12.0/24 Dest = 10.10.11.0/24

    You then need to write the NAT Rules

    Source = 10.10.10.0/24 Dest = 10.10.12.0./24, xlateSource(Static) = 10.10.11.0/24 xlateDest = Original
    Source = 10.10.12.0/24 Dest = 10.10.11.0/24 xlateSource = Original xlateDest(Static) = 10.10.10.0/24

    The Third Party will have to handle the NAT of the 10.10.12.0/24 with the 10.10.10.0/24 at there Gateway, you cannot just NAT your IP and then try and send to 10.10.10.0/24 over the VPN still.

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. Will changing gateway IP break site-to-site IPSec VPNs?
    By Surge in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2014-02-14, 06:50
  3. Replies: 4
    Last Post: 2013-10-25, 14:55
  4. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  5. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •