• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1043
  • Last Modified:

CheckPoint VPN Gateway with private IP address.

Dear Sir/Madam
    I've a trouble with how to implement the complex Vpn solution as follows.
   
    I have CheckPoint Firewalls ( Clustering with StoneBeat ) at my data center and are opened to the internet. Our customer would like to join our facilities and data network. The customer needs to secure the data transfer from outside with Secure Remote passing through our CheckPoint Cluster and need packets to be decrypted at his checkpoint firewall.
 
    Let's say he comes from the internet by the means of Secure Remote software and wish to establish the vpn connection at his CheckPoint Vpn Gateway.
 
    The problem occurs that whenever the customer moves to our facility, his CheckPoint has to be assigned with our private IP addresses ( Previously public IP addresses ). The question is how to satisfy the customer need. ( Establish VPN connection to his CheckPoint Gateway ).
 
0
leumas
Asked:
leumas
  • 3
  • 2
1 Solution
 
bloemkool1980Commented:
If you use secure remote the customer decrypts not at his firewall but at his workstation.
So if you like to that you need to add his private IP in your topology information. But it seems the easiest way would be a VPN from gateway to gateway instead client to gateway.
You need to clear some things because your statement is dubious.
If he likes to make a connection to his firewall he just has to put in his ip as a new site. If this IP is private he needs to add the NAT ip address which would be his public address if it goes over internet. If you like to do that you need to add the public NAT ip address in the topology information of your VPN. Otherwise your client cannot connect to download the topology map.
0
 
leumasAuthor Commented:
Let me explain more.

Illustratration

Client PC with SecuRemote ======> My CheckPoint Clustering-------- His CheckPoint VPN GW.
     ( Public IP Address)                           ( Public IP Address)                 ( Private IP Address )



In this diagram, the customer wants to establish Client-to-Site Vpn with "His CheckPoint VPN Gateway which is assigned with "Private IP Address)
0
 
bloemkool1980Commented:
Well on your firewall you should NAT rule for HIS checkpoint VPN GW.
That NAT IP address which would be public should be defined in HIS VPN gw object in the smartdashboard.
THat way secure remote understands that the FIREWALL is natted.
Allthough I would not recommend this. I would do secureremote to your firewall and if needed I would setup a VPN between your FW and his VPN GW.
If you allow it directly this means that you make traffic possible from PUBLIC internet towards HIS vpn gw meaning you make a piece of your private network public.
My proposition would be


CLIENT PC SecuRemote ======>  MY checkpoint cluster ===========> His VPN GW
                                    Secure                                           Gateway to gateway
                                    Remote VPN                                        VPN
0
 
leumasAuthor Commented:
Dear bloemkool1980

Trully said, I might not be able to set up as you suggested your proposition above.

I really need the solution as depicted. And I'm not so sure it will be possible ?

Since, after My cluster firewall NAT the traffic, HIS Checkpoint vpn will be able or not to recognize whether it is the real Vpn from SecuRemote ?

 And How to configure in HIS firewall vpn ? For instance, Should it be Public or Private IP( After NATed)  when configuring HIS vpn gateway IP address ?
0
 
bloemkool1980Commented:
If you do how I told you your firewall is the only that will see a connection from SecureRemote. THe VPN between you and HIS will always be connected.
Then You do not have a problem because from your firewall to HIS firewall it will only be private IP addresses. And from secure remote to your firewall only Public adresses.
You just put a rule to encrypt traffic from the SR network towards HIS network.
what you are asking is a lot of trouble and very hard to help over a forum as there is a lot of technical modification to do which I cannot do blindly
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now