CheckPoint VPN Gateway with private IP address.

Dear Sir/Madam
    I've a trouble with how to implement the complex Vpn solution as follows.
   
    I have CheckPoint Firewalls ( Clustering with StoneBeat ) at my data center and are opened to the internet. Our customer would like to join our facilities and data network. The customer needs to secure the data transfer from outside with Secure Remote passing through our CheckPoint Cluster and need packets to be decrypted at his checkpoint firewall.
 
    Let's say he comes from the internet by the means of Secure Remote software and wish to establish the vpn connection at his CheckPoint Vpn Gateway.
 
    The problem occurs that whenever the customer moves to our facility, his CheckPoint has to be assigned with our private IP addresses ( Previously public IP addresses ). The question is how to satisfy the customer need. ( Establish VPN connection to his CheckPoint Gateway ).
 
leumasAsked:
Who is Participating?
 
bloemkool1980Connect With a Mentor Commented:
If you do how I told you your firewall is the only that will see a connection from SecureRemote. THe VPN between you and HIS will always be connected.
Then You do not have a problem because from your firewall to HIS firewall it will only be private IP addresses. And from secure remote to your firewall only Public adresses.
You just put a rule to encrypt traffic from the SR network towards HIS network.
what you are asking is a lot of trouble and very hard to help over a forum as there is a lot of technical modification to do which I cannot do blindly
0
 
bloemkool1980Commented:
If you use secure remote the customer decrypts not at his firewall but at his workstation.
So if you like to that you need to add his private IP in your topology information. But it seems the easiest way would be a VPN from gateway to gateway instead client to gateway.
You need to clear some things because your statement is dubious.
If he likes to make a connection to his firewall he just has to put in his ip as a new site. If this IP is private he needs to add the NAT ip address which would be his public address if it goes over internet. If you like to do that you need to add the public NAT ip address in the topology information of your VPN. Otherwise your client cannot connect to download the topology map.
0
 
leumasAuthor Commented:
Let me explain more.

Illustratration

Client PC with SecuRemote ======> My CheckPoint Clustering-------- His CheckPoint VPN GW.
     ( Public IP Address)                           ( Public IP Address)                 ( Private IP Address )



In this diagram, the customer wants to establish Client-to-Site Vpn with "His CheckPoint VPN Gateway which is assigned with "Private IP Address)
0
 
bloemkool1980Commented:
Well on your firewall you should NAT rule for HIS checkpoint VPN GW.
That NAT IP address which would be public should be defined in HIS VPN gw object in the smartdashboard.
THat way secure remote understands that the FIREWALL is natted.
Allthough I would not recommend this. I would do secureremote to your firewall and if needed I would setup a VPN between your FW and his VPN GW.
If you allow it directly this means that you make traffic possible from PUBLIC internet towards HIS vpn gw meaning you make a piece of your private network public.
My proposition would be


CLIENT PC SecuRemote ======>  MY checkpoint cluster ===========> His VPN GW
                                    Secure                                           Gateway to gateway
                                    Remote VPN                                        VPN
0
 
leumasAuthor Commented:
Dear bloemkool1980

Trully said, I might not be able to set up as you suggested your proposition above.

I really need the solution as depicted. And I'm not so sure it will be possible ?

Since, after My cluster firewall NAT the traffic, HIS Checkpoint vpn will be able or not to recognize whether it is the real Vpn from SecuRemote ?

 And How to configure in HIS firewall vpn ? For instance, Should it be Public or Private IP( After NATed)  when configuring HIS vpn gateway IP address ?
0
All Courses

From novice to tech pro — start learning today.