We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

CheckPoint VPN Gateway with private IP address.

Medium Priority
1,244 Views
Last Modified: 2013-11-16
Dear Sir/Madam
    I've a trouble with how to implement the complex Vpn solution as follows.
   
    I have CheckPoint Firewalls ( Clustering with StoneBeat ) at my data center and are opened to the internet. Our customer would like to join our facilities and data network. The customer needs to secure the data transfer from outside with Secure Remote passing through our CheckPoint Cluster and need packets to be decrypted at his checkpoint firewall.
 
    Let's say he comes from the internet by the means of Secure Remote software and wish to establish the vpn connection at his CheckPoint Vpn Gateway.
 
    The problem occurs that whenever the customer moves to our facility, his CheckPoint has to be assigned with our private IP addresses ( Previously public IP addresses ). The question is how to satisfy the customer need. ( Establish VPN connection to his CheckPoint Gateway ).
 
Comment
Watch Question

If you use secure remote the customer decrypts not at his firewall but at his workstation.
So if you like to that you need to add his private IP in your topology information. But it seems the easiest way would be a VPN from gateway to gateway instead client to gateway.
You need to clear some things because your statement is dubious.
If he likes to make a connection to his firewall he just has to put in his ip as a new site. If this IP is private he needs to add the NAT ip address which would be his public address if it goes over internet. If you like to do that you need to add the public NAT ip address in the topology information of your VPN. Otherwise your client cannot connect to download the topology map.

Author

Commented:
Let me explain more.

Illustratration

Client PC with SecuRemote ======> My CheckPoint Clustering-------- His CheckPoint VPN GW.
     ( Public IP Address)                           ( Public IP Address)                 ( Private IP Address )



In this diagram, the customer wants to establish Client-to-Site Vpn with "His CheckPoint VPN Gateway which is assigned with "Private IP Address)
Well on your firewall you should NAT rule for HIS checkpoint VPN GW.
That NAT IP address which would be public should be defined in HIS VPN gw object in the smartdashboard.
THat way secure remote understands that the FIREWALL is natted.
Allthough I would not recommend this. I would do secureremote to your firewall and if needed I would setup a VPN between your FW and his VPN GW.
If you allow it directly this means that you make traffic possible from PUBLIC internet towards HIS vpn gw meaning you make a piece of your private network public.
My proposition would be


CLIENT PC SecuRemote ======>  MY checkpoint cluster ===========> His VPN GW
                                    Secure                                           Gateway to gateway
                                    Remote VPN                                        VPN

Author

Commented:
Dear bloemkool1980

Trully said, I might not be able to set up as you suggested your proposition above.

I really need the solution as depicted. And I'm not so sure it will be possible ?

Since, after My cluster firewall NAT the traffic, HIS Checkpoint vpn will be able or not to recognize whether it is the real Vpn from SecuRemote ?

 And How to configure in HIS firewall vpn ? For instance, Should it be Public or Private IP( After NATed)  when configuring HIS vpn gateway IP address ?
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.