Checkpoint site to site vpn overlapping subnet

anamops
anamops used Ask the Experts™
on
I am trying to create a site to site vpn with a 3rd party firewall.  The main problem is that my encryption domain is configured as 172.16.0.0/16 and the 3rd parties is 172.16.56.0/25 (so there is an overlap).  However, in actuality our encryption domain is actually only using 172.16.0.0/24 ip addresses.  I can't adjust my encryption domain subnet as there areover 15 site to site vpns confgured and this would impact those vpns

How can I configure a site to site vpn given that our subnets overlap?  I found some documentation regarding making changes to my Checkpoint R62 user.def.NGCMP file (subnet per peer and subnet per range etc) but it seems a bit vague.  Does anyone have suggestions on configuring this outside of changing my encryption domain which is not an option?


Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
U can try and get the remote site to change their domain by doing a NAT to other IP range.
If the 2 sites have the same addressing scheme, ie 192.168.1.0/24 is the same LAN on both sites, then you need to carry out double NAT.

ie NAT your own LAN behind another range, ie 10.1.1.0/24 and the 2nd site LAN to be natted behind another unique network, ie 172.16.1.0/24.

You have to NAT both sides to make sure that basic routing will work, ie if you dont nat the 2nd site IP range, you will be sending traffic to their LAN on 192.168.1.0/24 as above, which will get to your router, it will see that 192.168.1.0 is local, so sends back into your net.

HTH

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial