Solved

CheckPoint VPN Gateway with private IP address.

Posted on 2004-04-07
5
835 Views
Last Modified: 2013-11-16
Dear Sir/Madam
    I've a trouble with how to implement the complex Vpn solution as follows.
   
    I have CheckPoint Firewalls ( Clustering with StoneBeat ) at my data center and are opened to the internet. Our customer would like to join our facilities and data network. The customer needs to secure the data transfer from outside with Secure Remote passing through our CheckPoint Cluster and need packets to be decrypted at his checkpoint firewall.
 
    Let's say he comes from the internet by the means of Secure Remote software and wish to establish the vpn connection at his CheckPoint Vpn Gateway.
 
    The problem occurs that whenever the customer moves to our facility, his CheckPoint has to be assigned with our private IP addresses ( Previously public IP addresses ). The question is how to satisfy the customer need. ( Establish VPN connection to his CheckPoint Gateway ).
 
0
Comment
Question by:leumas
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
If you use secure remote the customer decrypts not at his firewall but at his workstation.
So if you like to that you need to add his private IP in your topology information. But it seems the easiest way would be a VPN from gateway to gateway instead client to gateway.
You need to clear some things because your statement is dubious.
If he likes to make a connection to his firewall he just has to put in his ip as a new site. If this IP is private he needs to add the NAT ip address which would be his public address if it goes over internet. If you like to do that you need to add the public NAT ip address in the topology information of your VPN. Otherwise your client cannot connect to download the topology map.
0
 

Author Comment

by:leumas
Comment Utility
Let me explain more.

Illustratration

Client PC with SecuRemote ======> My CheckPoint Clustering-------- His CheckPoint VPN GW.
     ( Public IP Address)                           ( Public IP Address)                 ( Private IP Address )



In this diagram, the customer wants to establish Client-to-Site Vpn with "His CheckPoint VPN Gateway which is assigned with "Private IP Address)
0
 
LVL 6

Expert Comment

by:bloemkool1980
Comment Utility
Well on your firewall you should NAT rule for HIS checkpoint VPN GW.
That NAT IP address which would be public should be defined in HIS VPN gw object in the smartdashboard.
THat way secure remote understands that the FIREWALL is natted.
Allthough I would not recommend this. I would do secureremote to your firewall and if needed I would setup a VPN between your FW and his VPN GW.
If you allow it directly this means that you make traffic possible from PUBLIC internet towards HIS vpn gw meaning you make a piece of your private network public.
My proposition would be


CLIENT PC SecuRemote ======>  MY checkpoint cluster ===========> His VPN GW
                                    Secure                                           Gateway to gateway
                                    Remote VPN                                        VPN
0
 

Author Comment

by:leumas
Comment Utility
Dear bloemkool1980

Trully said, I might not be able to set up as you suggested your proposition above.

I really need the solution as depicted. And I'm not so sure it will be possible ?

Since, after My cluster firewall NAT the traffic, HIS Checkpoint vpn will be able or not to recognize whether it is the real Vpn from SecuRemote ?

 And How to configure in HIS firewall vpn ? For instance, Should it be Public or Private IP( After NATed)  when configuring HIS vpn gateway IP address ?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 500 total points
Comment Utility
If you do how I told you your firewall is the only that will see a connection from SecureRemote. THe VPN between you and HIS will always be connected.
Then You do not have a problem because from your firewall to HIS firewall it will only be private IP addresses. And from secure remote to your firewall only Public adresses.
You just put a rule to encrypt traffic from the SR network towards HIS network.
what you are asking is a lot of trouble and very hard to help over a forum as there is a lot of technical modification to do which I cannot do blindly
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now