?
Solved

CheckPoint VPN Gateway with private IP address.

Posted on 2004-04-07
5
Medium Priority
?
934 Views
Last Modified: 2013-11-16
Dear Sir/Madam
    I've a trouble with how to implement the complex Vpn solution as follows.
   
    I have CheckPoint Firewalls ( Clustering with StoneBeat ) at my data center and are opened to the internet. Our customer would like to join our facilities and data network. The customer needs to secure the data transfer from outside with Secure Remote passing through our CheckPoint Cluster and need packets to be decrypted at his checkpoint firewall.
 
    Let's say he comes from the internet by the means of Secure Remote software and wish to establish the vpn connection at his CheckPoint Vpn Gateway.
 
    The problem occurs that whenever the customer moves to our facility, his CheckPoint has to be assigned with our private IP addresses ( Previously public IP addresses ). The question is how to satisfy the customer need. ( Establish VPN connection to his CheckPoint Gateway ).
 
0
Comment
Question by:leumas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10774897
If you use secure remote the customer decrypts not at his firewall but at his workstation.
So if you like to that you need to add his private IP in your topology information. But it seems the easiest way would be a VPN from gateway to gateway instead client to gateway.
You need to clear some things because your statement is dubious.
If he likes to make a connection to his firewall he just has to put in his ip as a new site. If this IP is private he needs to add the NAT ip address which would be his public address if it goes over internet. If you like to do that you need to add the public NAT ip address in the topology information of your VPN. Otherwise your client cannot connect to download the topology map.
0
 

Author Comment

by:leumas
ID: 10780443
Let me explain more.

Illustratration

Client PC with SecuRemote ======> My CheckPoint Clustering-------- His CheckPoint VPN GW.
     ( Public IP Address)                           ( Public IP Address)                 ( Private IP Address )



In this diagram, the customer wants to establish Client-to-Site Vpn with "His CheckPoint VPN Gateway which is assigned with "Private IP Address)
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10781510
Well on your firewall you should NAT rule for HIS checkpoint VPN GW.
That NAT IP address which would be public should be defined in HIS VPN gw object in the smartdashboard.
THat way secure remote understands that the FIREWALL is natted.
Allthough I would not recommend this. I would do secureremote to your firewall and if needed I would setup a VPN between your FW and his VPN GW.
If you allow it directly this means that you make traffic possible from PUBLIC internet towards HIS vpn gw meaning you make a piece of your private network public.
My proposition would be


CLIENT PC SecuRemote ======>  MY checkpoint cluster ===========> His VPN GW
                                    Secure                                           Gateway to gateway
                                    Remote VPN                                        VPN
0
 

Author Comment

by:leumas
ID: 10789093
Dear bloemkool1980

Trully said, I might not be able to set up as you suggested your proposition above.

I really need the solution as depicted. And I'm not so sure it will be possible ?

Since, after My cluster firewall NAT the traffic, HIS Checkpoint vpn will be able or not to recognize whether it is the real Vpn from SecuRemote ?

 And How to configure in HIS firewall vpn ? For instance, Should it be Public or Private IP( After NATed)  when configuring HIS vpn gateway IP address ?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 1500 total points
ID: 10813042
If you do how I told you your firewall is the only that will see a connection from SecureRemote. THe VPN between you and HIS will always be connected.
Then You do not have a problem because from your firewall to HIS firewall it will only be private IP addresses. And from secure remote to your firewall only Public adresses.
You just put a rule to encrypt traffic from the SR network towards HIS network.
what you are asking is a lot of trouble and very hard to help over a forum as there is a lot of technical modification to do which I cannot do blindly
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question