Take a look at sk12870
________________________________ From: Peter Addy <wavema...@yahoo.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wed, December 15, 2010 8:09:35 AM Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's Thanks , looks like i need further guidance here is what i have for our NAT Rule NAT RULE OriginalSource >Host server on a 23.x.x.x/32 Original Destination> host address 11.160.x.x/32 Translated Source hide nat of 147.x.x.x/32 to leave out from the firewall DEST host 10.230.x.x which is the real machine on the other firewall side Policy rule simply reads 23.x.x.x/32 to 11.160.x.x/32 This is a VPN from Checkpoint to a Cisco, so i moved this and created a new community to use one vpn tunnel per each pair of hosts There is no route for 10.230.x.x, not sure if i need one and not sure if i need a nat rule back, if so which way, the conection is from us to the Cisco, so should it not be all stateful? Also for the encyption domain for the cisco i have placed in the 11.160.x.x as this is where the connection from our server 23.x.x.x/32 first goes to, but why would this be needed, wouldd have thoght for the enc dom only the 147.x.x.x/32 was required, and on the other end Cisco they have in their encryption domain host 10.230.x.x/32 and 147.x.x.x/32, not sure if they also need the 11.160.x.x/32?? Our Checkpoints sit between CiscoASA's outer and inner so we have to Nat If this was Checkpoint to Checkpoint, dont think we would have had this issue Any ideas please let me know as i have quite a few other CiscoVPNs that need doing, Many Thanks ________________________________ From: Peter Addy <wavema...@yahoo.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wed, 1 December, 2010 7:25:55 Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's Thanks everyone, plenty of suggestions here to think this through Thanks again On Tue Nov 30th, 2010 4:05 PM GMT Oscar Esquivel wrote: >Hello I had a problem like this a few months ago..a lot of flavors to >choose...this is my choice: > >I use 172.26.x.x and they use 10.10.10.x , so nobody could use these networks, >because both sites use those IP in our LAN. >So I choosed to use NAT. I manually added a nat rule, so network 10.10.10.x >translate to 11.11.11.x....they did same thing...they did a NAT to translate >172.26.x.x to 172.27.x.x ... > >This how traffic needed to flow >My server 172.26.10.1 needed to reach 10.10.10.1 ....so what we did in the >application layer, was that my server 172.26.10.1 was going to try >communication > >to 11.11.11.1(nat network) instead 10.10.10.1....this was done at the remote >site, but the opposite way...notice that at the application layer, we only >changed to reach nat network instead real network, but nat is done at firewall >checkpoint. > > > >In my Firewall.. >When source 172.26.10.1 needed to reach 11.11.11.1(remote nat network), my >firewall translated those packet to destination 10.10.10.1 and then send the >packets to the remote site through the vpn connection. > > >Remote Firewall >When source 10.10.10.1 needed to reach 172.27.10.21(nat network) their >firewall >translate packet to 172.26.10.21 and send it to me inside the vpn connection. > > >NAT rules locally in my firewall > >1st Rule from remote to localsite >OriginalPacket Source-->10.10.10.1 ------- Original Packet >destination-->172.26.10.21 ----Originalpacketservice-->any >Translatedpacket Source-->11.11.11.1 ------- TranslatedPacket >destination-->172.26.10.21 ----Translatedpacketservice-->any > > >2nd Rule from local to remote site >OriginalPacket Source-->172.26.10.21 ------- Original Packet >destination-->11.11.11.1 ----Originalpacketservice-->any >Translatedpacket Source-->original ------- TranslatedPacket >destination-->10.10.10.1 ----Translatedpacketservice-->any > > >Beside I created a group where I put both networks, 10.10.10.x (original >network) and 11.11.11.x(nat network) , then I setup as the remote topology >encryption domain. > >This worked fine for me, its actually in production environment, If you have >any > >doubt just let me know. > >Rgds.. > > > > > >-----Mensaje original----- >De: Mailing list for discussion of Firewall-1 >[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombrede Peter Addy >Enviadoel: Tuesday, November 30, 2010 9:16 AM >Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >Asunto: [FW-1] IP address conflicts within Encryption domains in VPN's > >Hi, > >Does anyone know of a way to get around a problem, where for example a site to >site VPN both have 10.x.x.x, 172.x.x.x etc addresses on their internal network, >so this therefore causes a conflict within each encryption domain? > >If one side is not able to change then what options are there, what if both >sites cannot change their internal ip addressing, > > >what are ways to get around ip conflicts in VPN's, has anyone come across this >and got any ideas? > >Thanks > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglistnomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > >Notice of Confidentiality: > >The information contained in this communication is intended solely for the use >of the individual or entity to whom it is addressed and others authorized to >receive it. It may contain confidential or legally privileged information. If >you are not the intended recipient you are hereby notified that any >disclosure, >copying, distribution or taking any action in reliance on the contents of this >information is strictly prohibited and may be unlawful. If you have received >this communication in error, please notify us immediately by responding to >this >email and then delete it from your system. > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglistnomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > >Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglistnomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
