CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 6 of 6

Thread: IPSEC tunnel NAT question - Cisco DMVPN

  1. #1
    Join Date
    2017-07-20
    Posts
    2
    Rep Power
    0

    Default IPSEC tunnel NAT question - Cisco DMVPN

    Hi folks... I have a DMVPN tunnel between two sites. The HUB end is in our public DMZ with a public IP assigned to the router interface. On the far end router, the peer IP is displaying as the external FW IP address showing as Dynamic/NATed. Only configs I have in the firewall are the host with the public IP address and some rules for IPSEC in the external FW policy. The tunnel will come into service but I've had some issues where it will drop or go into a DNX (lost socket) state. So, I'm trying to narrow down possible causes to my issues - which honestly could be within the DMVPN configurations. Seems my HUB interface IP address is hidden behind the FW, would like to unhide that.

    I'm a Checkpoint/FW rookie.... R77 with clustered external/internal appliances and a separate management server. I'll provide any additional info needed to help, thanks in advance!

    Stu-

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    643
    Rep Power
    5

    Default Re: IPSEC tunnel NAT question - Cisco DMVPN

    That is cool, I love DMVPNs ;)

    So you have two Checkpoint firewall controlled sites, but each site also uses DMVPN. Has this come as an incident lately or has been a nagging problem for some time now?
    Except DMVPN service do you have any other complaints in regard to CP firewalls?

    Did you look on the SmartViewTracker for any related events matching the time period when DMVPN goes down? What about /var/log/messages file on both CP boxes?

  3. #3
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: IPSEC tunnel NAT question - Cisco DMVPN

    Quote Originally Posted by laf_c View Post
    That is cool, I love DMVPNs ;)
    I am kinda familiar with your situation because I had to study and implemented it about 100 times in my lab when I was preparing for the CCIE security lab :-). I've not touched DMVPN in almost 10 years since my last job.

    I am 99.9999% confident that the issue has nothing to do with your checkpoint, as long as you allow, IPSec isakmp udp/500, ESP proto 50 and NAT-T udp/4500 between the VPN peer.

    The issue with NAT. As you know, DMVPNs is nothing but GRE/IPSec under the hood, a hub and spoke model that allow you to route traffics directly between the spoke through NHRP.

    Whenever you have GRE/IPSec and NAT come into play, this needs to be considered: http://www.cisco.com/c/en/us/support...secgrenat.html

  4. #4
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    643
    Rep Power
    5

    Default Re: IPSEC tunnel NAT question - Cisco DMVPN

    Quote Originally Posted by cciesec2006 View Post
    Whenever you have GRE/IPSec and NAT come into play, this needs to be considered: http://www.cisco.com/c/en/us/support...secgrenat.html
    Can you detail what's to be taken from there? You want him to double check its DMVPN config?

  5. #5
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: IPSEC tunnel NAT question - Cisco DMVPN

    Quote Originally Posted by laf_c View Post
    Can you detail what's to be taken from there? You want him to double check its DMVPN config?
    Are there NAT anywhere between GRE tunnel or IPSec tunnel? If there is, then you need to follow that guideline

  6. #6
    Join Date
    2017-07-20
    Posts
    2
    Rep Power
    0

    Default Re: IPSEC tunnel NAT question - Cisco DMVPN

    Quote Originally Posted by laf_c View Post
    That is cool, I love DMVPNs ;)
    Yeah, very cool. It's under the hood of our new global SDWAN (the oldest of the newest buzz words, right?) undertaking. Anyway, I have had a few sites running IWAN for several months as a POC.

    You guys are probably correct, my issues are not CP related - by the way, the hub site is the only one with FW/DMZ. Spokes sites are directly connected to inet. There are only two rules for my tunnel - inbound IKE/ESP, outbound any, and I have not seen anything in the log to indicate service being blocked or denied. As I said, the tunnel will come up when forced and traffic will sometimes route correctly.

    I appreciate you guys taking time to comment, thanks again..

    Stu-

Similar Threads

  1. Cisco ISR C819 (3G int) unable to establish IPSec vpn tunnel to R75
    By bruceus in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2012-10-29, 07:04
  2. SmartCenter as Certificate Server for Cisco DMVPN Routers
    By johnny in forum Interoperability
    Replies: 4
    Last Post: 2011-11-25, 12:28
  3. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  4. one way tunnel? Site-to-site IPSec, Cisco router to R71
    By dfriedl in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2011-01-13, 22:33
  5. IPsec vpn tunnel question
    By ultraming in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2010-09-16, 21:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •