Thanks everyone, plenty of suggestions here to think this through Thanks again
On Tue Nov 30th, 2010 4:05 PM GMT Oscar Esquivel wrote: >Hello I had a problem like this a few months ago..a lot of flavors to >choose...this is my choice: > >I use 172.26.x.x and they use 10.10.10.x , so nobody could use these networks, >because both sites use those IP in our LAN. >So I choosed to use NAT. I manually added a nat rule, so network 10.10.10.x >translate to 11.11.11.x....they did same thing...they did a NAT to translate >172.26.x.x to 172.27.x.x ... > >This how traffic needed to flow >My server 172.26.10.1 needed to reach 10.10.10.1 ....so what we did in the >application layer, was that my server 172.26.10.1 was going to try >communication to 11.11.11.1(nat network) instead 10.10.10.1....this was done >at the remote site, but the opposite way...notice that at the application >layer, we only changed to reach nat network instead real network, but nat is >done at firewall checkpoint. > > > >In my Firewall.. >When source 172.26.10.1 needed to reach 11.11.11.1(remote nat network), my >firewall translated those packet to destination 10.10.10.1 and then send the >packets to the remote site through the vpn connection. > > >Remote Firewall >When source 10.10.10.1 needed to reach 172.27.10.21(nat network) their >firewall translate packet to 172.26.10.21 and send it to me inside the vpn >connection. > > >NAT rules locally in my firewall > >1st Rule from remote to localsite >OriginalPacket Source-->10.10.10.1 ------- Original Packet >destination-->172.26.10.21 ----Originalpacketservice-->any >Translatedpacket Source-->11.11.11.1 ------- TranslatedPacket >destination-->172.26.10.21 ----Translatedpacketservice-->any > > >2nd Rule from local to remote site >OriginalPacket Source-->172.26.10.21 ------- Original Packet >destination-->11.11.11.1 ----Originalpacketservice-->any >Translatedpacket Source-->original ------- TranslatedPacket >destination-->10.10.10.1 ----Translatedpacketservice-->any > > >Beside I created a group where I put both networks, 10.10.10.x (original >network) and 11.11.11.x(nat network) , then I setup as the remote topology >encryption domain. > >This worked fine for me, its actually in production environment, If you have >any doubt just let me know. > >Rgds.. > > > > > >-----Mensaje original----- >De: Mailing list for discussion of Firewall-1 >[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de Peter Addy >Enviado el: Tuesday, November 30, 2010 9:16 AM >Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >Asunto: [FW-1] IP address conflicts within Encryption domains in VPN's > >Hi, > >Does anyone know of a way to get around a problem, where for example a site to >site VPN both have 10.x.x.x, 172.x.x.x etc addresses on their internal network, >so this therefore causes a conflict within each encryption domain? > >If one side is not able to change then what options are there, what if both >sites cannot change their internal ip addressing, > > >what are ways to get around ip conflicts in VPN's, has anyone come across this >and got any ideas? > >Thanks > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > >Notice of Confidentiality: > >The information contained in this communication is intended solely for the use >of the individual or entity to whom it is addressed and others authorized to >receive it. It may contain confidential or legally privileged information. If >you are not the intended recipient you are hereby notified that any >disclosure, copying, distribution or taking any action in reliance on the >contents of this information is strictly prohibited and may be unlawful. If >you have received this communication in error, please notify us immediately by >responding to this email and then delete it from your system. > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > >Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================