Correct, VPN and routing will fail unless you NAT to unique addresses. You could NAT to an RFC 1918 IP as long as this does not conflict with the other side(s), most use real IP's if they can afford them.
________________________________ From: Peter Addy <wavema...@yahoo.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thu, December 16, 2010 2:48:02 AM Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's Thanks will give this a whirl, I don't think the other side cisco have given us a nat to the 10.x so will see if they can provide us one, as I guess we need one and we cannot target the real 10.x ? Cheers On Wed, 15 Dec 2010 17:47 GMT Gary Scott wrote: >Does this make sense? The cisco side would be configure the same but with the >remote and local roles reversed. > >local enc domain is 10.1.1.1 >remote enc domain is 10.1.1.1 > >local NAT to 2.2.2.2 >remote NAT to 3.3.3.3 > >object VPN domain: >local enc domain is 10.1.1.1 and 2.2.2.2 >remote enc domain is 3.3.3.3 > >NAT rule: >NAT rule outgoing -> 10.1.1.1 to 3.3.3.3, / leave src and dst original >Nat rule incoming -> 3.3.3.3 to 2.2.2.2, / original, dst->10.1.1.1 > >Routing: >local route for 3.3.3.3 needs to go out CP VPN endpoint IP interface >remote route for 2.2.2.2 needs to go out cisco VPN endpoint IP interface >10.1.1.1 needs to route back to gateway for 3.3.3.3 on CP side >10.1.1.1 needs to route back to gateway for 2.2.2.2 on cisco side > >Policy rule: >configured as needed > > > > > > >________________________________ >From: Peter Addy <wavema...@yahoo.com> >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >Sent: Wed, December 15, 2010 11:43:13 AM >Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's > >Thanks, I have seen this but from my details below does anyone know why it >would > >not work, has anyone experienced this problem, the other end cisco sees the >11.x.x.x but is not a valid SA, so should they have this in their enc dom? Can >you see an issue with the config proposed,thanks > >On Wed, 15 Dec 2010 13:36 GMT Gary Scott wrote: > >>Take a look at sk12870 >> >> >> >> >>________________________________ >>From: Peter Addy <wavema...@yahoo.com> >>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>Sent: Wed, December 15, 2010 8:09:35 AM >>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >> >>Thanks , looks like i need further guidance >> >>here is what i have for our NAT Rule >> >>NAT RULE >>OriginalSource >Host server on a 23.x.x.x/32 >>Original Destination> host address 11.160.x.x/32 >> >>Translated >>Source hide nat of 147.x.x.x/32 to leave out from the firewall >>DEST host 10.230.x.x which is the real machine on the other firewall side >> >>Policy rule simply reads >> >>23.x.x.x/32 to 11.160.x.x/32 >> >>This is a VPN from Checkpoint to a Cisco, so i moved this and created a new >>community to use one vpn tunnel per each pair of hosts >> >>There is no route for 10.230.x.x, not sure if i need one and not sure if i >>need > > >>a nat rule back, if so which way, the conection is from us to the Cisco, so >>should it not be all stateful? >> >>Also for the encyption domain for the cisco i have placed in the 11.160.x.x >>as >>this is where the connection from our server 23.x.x.x/32 first goes to, but >>why > > >>would this be needed, wouldd have thoght for the enc dom only the >>147.x.x.x/32 >>was required, and on the other end Cisco they have in their encryption domain >>host 10.230.x.x/32 and 147.x.x.x/32, not sure if they also need the >>11.160.x.x/32?? >> >>Our Checkpoints sit between CiscoASA's outer and inner so we have to Nat >> >>If this was Checkpoint to Checkpoint, dont think we would have had this issue >> >>Any ideas please let me know as i have quite a few other CiscoVPNs that need >>doing, >> >> >>Many Thanks >> >> >> >> >>________________________________ >>From: Peter Addy <wavema...@yahoo.com> >>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>Sent: Wed, 1 December, 2010 7:25:55 >>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >> >>Thanks everyone, plenty of suggestions here to think this through >>Thanks again >> >>On Tue Nov 30th, 2010 4:05 PM GMT Oscar Esquivel wrote: >> >>>Hello I had a problem like this a few months ago..a lot of flavors to >>>choose...this is my choice: >>> >>>I use 172.26.x.x and they use 10.10.10.x , so nobody could use these >>>networks, > > >>>because both sites use those IP in our LAN. >>>So I choosed to use NAT. I manually added a nat rule, so network 10.10.10.x >>>translate to 11.11.11.x....they did same thing...they did a NAT to translate >>>172.26.x.x to 172.27.x.x ... >>> >>>This how traffic needed to flow >>>My server 172.26.10.1 needed to reach 10.10.10.1 ....so what we did in the >>>application layer, was that my server 172.26.10.1 was going to try >>>communication >>> >>> >>> >>>to 11.11.11.1(nat network) instead 10.10.10.1....this was done at the remote >>>site, but the opposite way...notice that at the application layer, we only >>>changed to reach nat network instead real network, but nat is done at >>>firewall > > >>>checkpoint. >>> >>> >>> >>>In my Firewall.. >>>When source 172.26.10.1 needed to reach 11.11.11.1(remote nat network), my >>>firewall translated those packet to destination 10.10.10.1 and then send the >>>packets to the remote site through the vpn connection. >>> >>> >>>Remote Firewall >>>When source 10.10.10.1 needed to reach 172.27.10.21(nat network) their >>>firewall >> >> >> >>>translate packet to 172.26.10.21 and send it to me inside the vpn connection. >>> >>> >>>NAT rules locally in my firewall >>> >>>1st Rule from remote to localsite >>>OriginalPacket Source-->10.10.10.1 ------- Original Packet >>>destination-->172.26.10.21 ----Originalpacketservice-->any >>>Translatedpacket Source-->11.11.11.1 ------- TranslatedPacket >>>destination-->172.26.10.21 ----Translatedpacketservice-->any >>> >>> >>>2nd Rule from local to remote site >>>OriginalPacket Source-->172.26.10.21 ------- Original Packet >>>destination-->11.11.11.1 ----Originalpacketservice-->any >>>Translatedpacket Source-->original ------- TranslatedPacket >>>destination-->10.10.10.1 ----Translatedpacketservice-->any >>> >>> >>>Beside I created a group where I put both networks, 10.10.10.x (original >>>network) and 11.11.11.x(nat network) , then I setup as the remote topology >>>encryption domain. >>> >>>This worked fine for me, its actually in production environment, If you have >>>any >>> >>> >>> >>>doubt just let me know. >>> >>>Rgds.. >>> >>> >>> >>> >>> >>>-----Mensaje original----- >>>De: Mailing list for discussion of Firewall-1 >>>[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombrede Peter Addy >>>Enviadoel: Tuesday, November 30, 2010 9:16 AM >>>Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>>Asunto: [FW-1] IP address conflicts within Encryption domains in VPN's >>> >>>Hi, >>> >>>Does anyone know of a way to get around a problem, where for example a site to >>>site VPN both have 10.x.x.x, 172.x.x.x etc addresses on their internal >network, >>>so this therefore causes a conflict within each encryption domain? >>> >>>If one side is not able to change then what options are there, what if both >>>sites cannot change their internal ip addressing, >>> >>> >>>what are ways to get around ip conflicts in VPN's, has anyone come across this >>>and got any ideas? >>> >>>Thanks >>> >>> >>> >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglistnomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>>Notice of Confidentiality: >>> >>>The information contained in this communication is intended solely for the >>>use > > >>>of the individual or entity to whom it is addressed and others authorized to >>>receive it. It may contain confidential or legally privileged information. >>>If >>>you are not the intended recipient you are hereby notified that any >>>disclosure, >> >> >> >>>copying, distribution or taking any action in reliance on the contents of >>>this > > >>>information is strictly prohibited and may be unlawful. If you have received >>>this communication in error, please notify us immediately by responding to >>>this >> >> >> >>>email and then delete it from your system. >>> >>>Scanned by Check Point Total Security Gateway. >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglistnomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>>Scanned by Check Point Total Security Gateway. >> >> >> >> >> >>Scanned by Check Point Total Security Gateway. >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglistnomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >> >> >> >> >> >>Scanned by Check Point Total Security Gateway. >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >>Scanned by Check Point Total Security Gateway. >> >> >> >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >>Scanned by Check Point Total Security Gateway. > > > > > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
