Hello I had a problem like this a few months ago..a lot of flavors to choose...this is my choice:
I use 172.26.x.x and they use 10.10.10.x , so nobody could use these networks, because both sites use those IP in our LAN. So I choosed to use NAT. I manually added a nat rule, so network 10.10.10.x translate to 11.11.11.x....they did same thing...they did a NAT to translate 172.26.x.x to 172.27.x.x ... This how traffic needed to flow My server 172.26.10.1 needed to reach 10.10.10.1 ....so what we did in the application layer, was that my server 172.26.10.1 was going to try communication to 11.11.11.1(nat network) instead 10.10.10.1....this was done at the remote site, but the opposite way...notice that at the application layer, we only changed to reach nat network instead real network, but nat is done at firewall checkpoint. In my Firewall.. When source 172.26.10.1 needed to reach 11.11.11.1(remote nat network), my firewall translated those packet to destination 10.10.10.1 and then send the packets to the remote site through the vpn connection. Remote Firewall When source 10.10.10.1 needed to reach 172.27.10.21(nat network) their firewall translate packet to 172.26.10.21 and send it to me inside the vpn connection. NAT rules locally in my firewall 1st Rule from remote to localsite OriginalPacket Source-->10.10.10.1 ------- Original Packet destination-->172.26.10.21 ----Originalpacketservice-->any Translatedpacket Source-->11.11.11.1 ------- TranslatedPacket destination-->172.26.10.21 ----Translatedpacketservice-->any 2nd Rule from local to remote site OriginalPacket Source-->172.26.10.21 ------- Original Packet destination-->11.11.11.1 ----Originalpacketservice-->any Translatedpacket Source-->original ------- TranslatedPacket destination-->10.10.10.1 ----Translatedpacketservice-->any Beside I created a group where I put both networks, 10.10.10.x (original network) and 11.11.11.x(nat network) , then I setup as the remote topology encryption domain. This worked fine for me, its actually in production environment, If you have any doubt just let me know. Rgds.. -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de Peter Addy Enviado el: Tuesday, November 30, 2010 9:16 AM Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Asunto: [FW-1] IP address conflicts within Encryption domains in VPN's Hi, Does anyone know of a way to get around a problem, where for example a site to site VPN both have 10.x.x.x, 172.x.x.x etc addresses on their internal network, so this therefore causes a conflict within each encryption domain? If one side is not able to change then what options are there, what if both sites cannot change their internal ip addressing, what are ways to get around ip conflicts in VPN's, has anyone come across this and got any ideas? Thanks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway.
