Gary Sorry to ask again, can you confirm this
NAT rule outgoing -> Original Packets SRC 10.1.1.1 DST 3.3.3.3, Translated Column > Source and Dest is both ORIGINAL ################################################# Nat rule incoming -> ORIGINAL Packet Source 3.3.3.3 DEST 2.2.2.2, Translated Column > Source is ORIGINAL and Dest is 10.1.1.1 Just getting my head around the NAT part Thanks On Thu, 16 Dec 2010 13:07 GMT Gary Scott wrote: >Correct, VPN and routing will fail unless you NAT to unique addresses. You >could >NAT to an RFC 1918 IP as long as this does not conflict with the other >side(s), >most use real IP's if they can afford them. > > > > >________________________________ >From: Peter Addy <wavema...@yahoo.com> >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >Sent: Thu, December 16, 2010 2:48:02 AM >Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's > >Thanks will give this a whirl, I don't think the other side cisco have given >us >a nat to the 10.x so will see if they can provide us one, as I guess we need >one >and we cannot target the real 10.x ? >Cheers > >On Wed, 15 Dec 2010 17:47 GMT Gary Scott wrote: > >>Does this make sense? The cisco side would be configure the same but with the >>remote and local roles reversed. >> >>local enc domain is 10.1.1.1 >>remote enc domain is 10.1.1.1 >> >>local NAT to 2.2.2.2 >>remote NAT to 3.3.3.3 >> >>object VPN domain: >>local enc domain is 10.1.1.1 and 2.2.2.2 >>remote enc domain is 3.3.3.3 >> >>NAT rule: >>NAT rule outgoing -> 10.1.1.1 to 3.3.3.3, / leave src and dst original >>Nat rule incoming -> 3.3.3.3 to 2.2.2.2, / original, dst->10.1.1.1 >> >>Routing: >>local route for 3.3.3.3 needs to go out CP VPN endpoint IP interface >>remote route for 2.2.2.2 needs to go out cisco VPN endpoint IP interface >>10.1.1.1 needs to route back to gateway for 3.3.3.3 on CP side >>10.1.1.1 needs to route back to gateway for 2.2.2.2 on cisco side >> >>Policy rule: >>configured as needed >> >> >> >> >> >> >>________________________________ >>From: Peter Addy <wavema...@yahoo.com> >>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>Sent: Wed, December 15, 2010 11:43:13 AM >>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >> >>Thanks, I have seen this but from my details below does anyone know why it >>would >> >>not work, has anyone experienced this problem, the other end cisco sees the >>11.x.x.x but is not a valid SA, so should they have this in their enc dom? >>Can >>you see an issue with the config proposed,thanks >> >>On Wed, 15 Dec 2010 13:36 GMT Gary Scott wrote: >> >>>Take a look at sk12870 >>> >>> >>> >>> >>>________________________________ >>>From: Peter Addy <wavema...@yahoo.com> >>>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>>Sent: Wed, December 15, 2010 8:09:35 AM >>>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >>> >>>Thanks , looks like i need further guidance >>> >>>here is what i have for our NAT Rule >>> >>>NAT RULE >>>OriginalSource >Host server on a 23.x.x.x/32 >>>Original Destination> host address 11.160.x.x/32 >>> >>>Translated >>>Source hide nat of 147.x.x.x/32 to leave out from the firewall >>>DEST host 10.230.x.x which is the real machine on the other firewall side >>> >>>Policy rule simply reads >>> >>>23.x.x.x/32 to 11.160.x.x/32 >>> >>>This is a VPN from Checkpoint to a Cisco, so i moved this and created a new >>>community to use one vpn tunnel per each pair of hosts >>> >>>There is no route for 10.230.x.x, not sure if i need one and not sure if i >>>need >> >> >>>a nat rule back, if so which way, the conection is from us to the Cisco, so >>>should it not be all stateful? >>> >>>Also for the encyption domain for the cisco i have placed in the 11.160.x.x >>>as > >>>this is where the connection from our server 23.x.x.x/32 first goes to, but >>>why >> >> >>>would this be needed, wouldd have thoght for the enc dom only the >>>147.x.x.x/32 > >>>was required, and on the other end Cisco they have in their encryption >>>domain >>>host 10.230.x.x/32 and 147.x.x.x/32, not sure if they also need the >>>11.160.x.x/32?? >>> >>>Our Checkpoints sit between CiscoASA's outer and inner so we have to Nat >>> >>>If this was Checkpoint to Checkpoint, dont think we would have had this issue >>> >>>Any ideas please let me know as i have quite a few other CiscoVPNs that need >>>doing, >>> >>> >>>Many Thanks >>> >>> >>> >>> >>>________________________________ >>>From: Peter Addy <wavema...@yahoo.com> >>>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>>Sent: Wed, 1 December, 2010 7:25:55 >>>Subject: Re: [FW-1] IP address conflicts within Encryption domains in VPN's >>> >>>Thanks everyone, plenty of suggestions here to think this through >>>Thanks again >>> >>>On Tue Nov 30th, 2010 4:05 PM GMT Oscar Esquivel wrote: >>> >>>>Hello I had a problem like this a few months ago..a lot of flavors to >>>>choose...this is my choice: >>>> >>>>I use 172.26.x.x and they use 10.10.10.x , so nobody could use these >>>>networks, >> >> >>>>because both sites use those IP in our LAN. >>>>So I choosed to use NAT. I manually added a nat rule, so network 10.10.10.x >>>>translate to 11.11.11.x....they did same thing...they did a NAT to >>>>translate >>>>172.26.x.x to 172.27.x.x ... >>>> >>>>This how traffic needed to flow >>>>My server 172.26.10.1 needed to reach 10.10.10.1 ....so what we did in the >>>>application layer, was that my server 172.26.10.1 was going to try >>>>communication >>>> >>>> >>>> >>>>to 11.11.11.1(nat network) instead 10.10.10.1....this was done at the >>>>remote >>>>site, but the opposite way...notice that at the application layer, we only >>>>changed to reach nat network instead real network, but nat is done at >>>>firewall >> >> >>>>checkpoint. >>>> >>>> >>>> >>>>In my Firewall.. >>>>When source 172.26.10.1 needed to reach 11.11.11.1(remote nat network), my >>>>firewall translated those packet to destination 10.10.10.1 and then send >>>>the >>>>packets to the remote site through the vpn connection. >>>> >>>> >>>>Remote Firewall >>>>When source 10.10.10.1 needed to reach 172.27.10.21(nat network) their >>>>firewall >>> >>> >>> >>>>translate packet to 172.26.10.21 and send it to me inside the vpn >>>>connection. >>>> >>>> >>>>NAT rules locally in my firewall >>>> >>>>1st Rule from remote to localsite >>>>OriginalPacket Source-->10.10.10.1 ------- Original Packet >>>>destination-->172.26.10.21 ----Originalpacketservice-->any >>>>Translatedpacket Source-->11.11.11.1 ------- TranslatedPacket >>>>destination-->172.26.10.21 ----Translatedpacketservice-->any >>>> >>>> >>>>2nd Rule from local to remote site >>>>OriginalPacket Source-->172.26.10.21 ------- Original Packet >>>>destination-->11.11.11.1 ----Originalpacketservice-->any >>>>Translatedpacket Source-->original ------- TranslatedPacket >>>>destination-->10.10.10.1 ----Translatedpacketservice-->any >>>> >>>> >>>>Beside I created a group where I put both networks, 10.10.10.x (original >>>>network) and 11.11.11.x(nat network) , then I setup as the remote topology >>>>encryption domain. >>>> >>>>This worked fine for me, its actually in production environment, If you >>>>have any >>>> >>>> >>>> >>>>doubt just let me know. >>>> >>>>Rgds.. >>>> >>>> >>>> >>>> >>>> >>>>-----Mensaje original----- >>>>De: Mailing list for discussion of Firewall-1 >>>>[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombrede Peter Addy >>>>Enviadoel: Tuesday, November 30, 2010 9:16 AM >>>>Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >>>>Asunto: [FW-1] IP address conflicts within Encryption domains in VPN's >>>> >>>>Hi, >>>> >>>>Does anyone know of a way to get around a problem, where for example a site >to >>>>site VPN both have 10.x.x.x, 172.x.x.x etc addresses on their internal >>network, >>>>so this therefore causes a conflict within each encryption domain? >>>> >>>>If one side is not able to change then what options are there, what if both >>>>sites cannot change their internal ip addressing, >>>> >>>> >>>>what are ways to get around ip conflicts in VPN's, has anyone come across >this >>>>and got any ideas? >>>> >>>>Thanks >>>> >>>> >>>> >>>> >>>>================================================= >>>>To set vacation, Out-Of-Office, or away messages, >>>>send an email to lists...@amadeus.us.checkpoint.com >>>>in the BODY of the email add: >>>>set fw-1-mailinglistnomail >>>>================================================= >>>>To unsubscribe from this mailing list, >>>>please see the instructions at >>>>http://www.checkpoint.com/services/mailing.html >>>>================================================= >>>>If you have any questions on how to change your >>>>subscription options, email >>>>fw-1-ow...@ts.checkpoint.com >>>>================================================= >>>> >>>>Notice of Confidentiality: >>>> >>>>The information contained in this communication is intended solely for the >>>>use >> >> >>>>of the individual or entity to whom it is addressed and others authorized >>>>to >>>>receive it. It may contain confidential or legally privileged information. >>>>If > >>>>you are not the intended recipient you are hereby notified that any >>>>disclosure, >>> >>> >>> >>>>copying, distribution or taking any action in reliance on the contents of >>>>this >> >> >>>>information is strictly prohibited and may be unlawful. If you have >>>>received >>>>this communication in error, please notify us immediately by responding to >>>>this >>> >>> >>> >>>>email and then delete it from your system. >>>> >>>>Scanned by Check Point Total Security Gateway. >>>> >>>>================================================= >>>>To set vacation, Out-Of-Office, or away messages, >>>>send an email to lists...@amadeus.us.checkpoint.com >>>>in the BODY of the email add: >>>>set fw-1-mailinglistnomail >>>>================================================= >>>>To unsubscribe from this mailing list, >>>>please see the instructions at >>>>http://www.checkpoint.com/services/mailing.html >>>>================================================= >>>>If you have any questions on how to change your >>>>subscription options, email >>>>fw-1-ow...@ts.checkpoint.com >>>>================================================= >>>> >>>>Scanned by Check Point Total Security Gateway. >>> >>> >>> >>> >>> >>>Scanned by Check Point Total Security Gateway. >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglistnomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>> >>> >>> >>> >>> >>>Scanned by Check Point Total Security Gateway. >>> >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglist nomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>>Scanned by Check Point Total Security Gateway. >>> >>> >>> >>> >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to lists...@amadeus.us.checkpoint.com >>>in the BODY of the email add: >>>set fw-1-mailinglist nomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>fw-1-ow...@ts.checkpoint.com >>>================================================= >>> >>>Scanned by Check Point Total Security Gateway. >> >> >> >> >> >>Scanned by Check Point Total Security Gateway. >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= >> >> >> >> >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to lists...@amadeus.us.checkpoint.com >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>fw-1-ow...@ts.checkpoint.com >>================================================= > > > > > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > >Scanned by Check Point Total Security Gateway. > > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > >Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
