Thanks will give this a whirl, I don't think the other side cisco have given us a nat to the 10.x so will see if they can provide us one, as I guess we need one and we cannot target the real 10.x ? Cheers
On Wed, 15 Dec 2010 17:47 GMT Gary Scott wrote: >Does this make sense? The cisco side would be configure the same but with the >remote and local roles reversed. > >local enc domain is 10.1.1.1 >remote enc domain is 10.1.1.1 > >local NAT to 2.2.2.2 >remote NAT to 3.3.3.3 > >object VPN domain: >local enc domain is 10.1.1.1 and 2.2.2.2 >remote enc domain is 3.3.3.3 > >NAT rule: >NAT rule outgoing -> 10.1.1.1 to 3.3.3.3, / leave src and dst original >Nat rule incoming -> 3.3.3.3 to 2.2.2.2, / original, dst->10.1.1.1 > >Routing: >local route for 3.3.3.3 needs to go out CP VPN endpoint IP interface >remote route for 2.2.2.2 needs to go out cisco VPN endpoint IP interface >10.1.1.1 needs to route back to gateway for 3.3.3.3 on CP side >10.1.1.1 needs to route back to gateway for 2.2.2.2 on cisco side > >Policy rule: >configured as needed > > > > > > >________________________________ >From: Peter Addy <wavema...@yahoo.com> >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >Sent: Wed, December 15, 2010 11:43:13 AM >Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's > >Thanks, I have seen this but from my details below does anyone know why it >would >not work, has anyone experienced this problem, the other end cisco sees the >11.x.x.x but is not a valid SA, so should they have this in their enc dom? Can >you see an issue with the config proposed,thanks > >On Wed, 15 Dec 2010 13:36 GMT Gary Scott wrote: > >>Take a look at sk12870 >> >> >> >> >>________________________________ >>From: Peter Addy <wavema...@yahoo.com> >>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>Sent: Wed, December 15, 2010 8:09:35 AM >>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >> >>Thanks , looks like i need further guidance >> >>here is what i have for our NAT Rule >> >>NAT RULE >>OriginalSource >Host server on a 23.x.x.x/32 >>Original Destination> host address 11.160.x.x/32 >> >>Translated >>Source hide nat of 147.x.x.x/32 to leave out from the firewall >>DEST host 10.230.x.x which is the real machine on the other firewall side >> >>Policy rule simply reads >> >>23.x.x.x/32 to 11.160.x.x/32 >> >>This is a VPN from Checkpoint to a Cisco, so i moved this and created a new >>community to use one vpn tunnel per each pair of hosts >> >>There is no route for 10.230.x.x, not sure if i need one and not sure if i >>need > >>a nat rule back, if so which way, the conection is from us to the Cisco, so >>should it not be all stateful? >> >>Also for the encyption domain for the cisco i have placed in the 11.160.x.x >>as >>this is where the connection from our server 23.x.x.x/32 first goes to, but >>why > >>would this be needed, wouldd have thoght for the enc dom only the >>147.x.x.x/32 >>was required, and on the other end Cisco they have in their encryption domain >>host 10.230.x.x/32 and 147.x.x.x/32, not sure if they also need the >>11.160.x.x/32?? >> >>Our Checkpoints sit between CiscoASA's outer and inner so we have to Nat >> >>If this was Checkpoint to Checkpoint, dont think we would have had this issue >> >>Any ideas please let me know as i have quite a few other CiscoVPNs that need >>doing, >> >> >>Many Thanks >> >> >> >> >>________________________________ >>From: Peter Addy <wavema...@yahoo.com> >>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>Sent: Wed, 1 December, 2010 7:25:55 >>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >> >>Thanks everyone, plenty of suggestions here to think this through >>Thanks again >> >>On Tue Nov 30th, 2010 4:05 PM GMT Oscar Esquivel wrote: >> >>>Hello I had a problem like this a few months ago..a lot of flavors to >>>choose...this is my choice: >>> >>>I use 172.26.x.x and they use 10.10.10.x , so nobody could use these >>>networks, > >>>because both sites use those IP in our LAN. >>>So I choosed to use NAT. I manually added a nat rule, so network 10.10.10.x >>>translate to 11.11.11.x....they did same thing...they did a NAT to translate >>>172.26.x.x to 172.27.x.x ... >>> >>>This how traffic needed to flow >>>My server 172.26.10.1 needed to reach 10.10.10.1 ....so what we did in the >>>application layer, was that my server 172.26.10.1 was going to try >>>communication >>> >>> >>>to 11.11.11.1(nat network) instead 10.10.10.1....this was done at the remote >>>site, but the opposite way...notice that at the application layer, we only >>>changed to reach nat network instead real network, but nat is done at >>>firewall > >>>checkpoint. >>> >>> >>> >>>In my Firewall.. >>>When source 172.26.10.1 needed to reach 11.11.11.1(remote nat network), my >>>firewall translated those packet to destination 10.10.10.1 and then send the >>>packets to the remote site through the vpn connection. >>> >>> >>>Remote Firewall >>>When source 10.10.10.1 needed to reach 172.27.10.21(nat network) their >>>firewall >> >> >>>translate packet to 172.26.10.21 and send it to me inside the vpn connection. >>> >>> >>>NAT rules locally in my firewall >>> >>>1st Rule from remote to localsite >>>OriginalPacket Source-->10.10.10.1 ------- Original Packet >>>destination-->172.26.10.21 ----Originalpacketservice-->any >>>Translatedpacket Source-->11.11.11.1 ------- TranslatedPacket >>>destination-->172.26.10.21 ----Translatedpacketservice-->any >>> >>> >>>2nd Rule from local to remote site >>>OriginalPacket Source-->172.26.10.21 ------- Original Packet >>>destination-->11.11.11.1 ----Originalpacketservice-->any >>>Translatedpacket Source-->original ------- TranslatedPacket >>>destination-->10.10.10.1 ----Translatedpacketservice-->any >>> >>> >>>Beside I created a group where I put both networks, 10.10.10.x (original >>>network) and 11.11.11.x(nat network) , then I setup as the remote topology >>>encryption domain. >>> >>>This worked fine for me, its actually in production environment, If you have >>>any >>> >>> >>>doubt just let me know. >>> >>>Rgds.. >>> >>> >>> >>> >>> >>>-----Mensaje original----- >>>De: Mailing list for discussion of Firewall-1 >>>[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombrede Peter Addy >>>Enviadoel: Tuesday, November 30, 2010 9:16 AM >>>Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>>Asunto: [FW-1] IP address conflicts within Encryption domains in VPN's >>> >>>Hi, >>> >>>Does anyone know of a way to get around a problem, where for example a site >>>to >>>site VPN both have 10.x.x.x, 172.x.x.x etc addresses on their internal >network, >>>so this therefore causes a conflict within each encryption domain? >>> >>>If one side is not able to change then what options are there, what if both >>>sites cannot change their internal ip addressing, >>> >>> >>>what are ways to get around ip conflicts in VPN's, has anyone come across >>>this >>>and got any ideas? >>> >>>Thanks >>> >>> >>> >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglistnomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>>Notice of Confidentiality: >>> >>>The information contained in this communication is intended solely for the >>>use > >>>of the individual or entity to whom it is addressed and others authorized to >>>receive it. It may contain confidential or legally privileged information. >>>If >>>you are not the intended recipient you are hereby notified that any >>>disclosure, >> >> >>>copying, distribution or taking any action in reliance on the contents of >>>this > >>>information is strictly prohibited and may be unlawful. If you have received >>>this communication in error, please notify us immediately by responding to >>>this >> >> >>>email and then delete it from your system. >>> >>>Scanned by Check Point Total Security Gateway. >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglistnomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>>Scanned by Check Point Total Security Gateway. >> >> >> >> >> >>Scanned by Check Point Total Security Gateway. >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglistnomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >> >> >> >> >> >>Scanned by Check Point Total Security Gateway. >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >>Scanned by Check Point Total Security Gateway. >> >> >> >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >>Scanned by Check Point Total Security Gateway. > > > > > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway.