Re: VPN Tunnel to Checkpoint NGX Firewall - Help needed.

OHITS-OPS · ‎01-03-2007

Happy New Year to All...

I need to setup the following on my PIX running 6.3 (5) code -

VPN Tunnel to a partner company who is using Checkpoint NGX, now the partner requires that I "hide" my internal IP address when communicating with them and to use a public routable IP address.

My ISP has provided to me a internet routable IP address, say - 213.251.x.x my private network address is 10.x.x.x/24

Basically, my partner requires that when traffic originates from my network they need to see an internet routable IP address rather then my private IP address.

So my question is - How do I configure my PIX for the above VPN requirement?

If you need any further information then please let me know.

I would be most grateful if someone can guide me on this as this is very urgent.

hackworth.kenny · ‎01-03-2007

Follow up question(s). Are you given only 1 public IP from your ISP? And are communications to originate from both yourside and their side -- or from one side only?

Jon Marshall · ‎01-03-2007

Are you comfortable with configuring a site-to-site VPN tunnel on a Pix and you just need to know how to NAT your source IP addresses.

Is this firewall just for the VPN connection and is the ISP address (213.251.x.x) allocated to the external interface of your Pix firewall or is it an additional address out of the same subnet range or a different subnet range.

Assuming you are comfortable with basic VPN setup and NAT, in essence you need to make sure that the access-list tied to your crypto map references the Natted address and not your source addresses ie.

if the remote network you were accessing was

217.10.10.0/24 your crypto map access-list would look like

access-list vpn permit ip host 213.251.x.x 217.10.10.0 255.255.255.0

if you need more info let me know

HTH

OHITS-OPS · ‎01-03-2007

Hi Jon - thanks for the reply,

I have the following setup, does this look OK to you?

access-list nat_to_customer permit ip host 10.1.1.100 195.172.x.0 255.255.255.0

access-list crypto_map_customer permit ip host 213.249.x.x 195.172.x.0 255.255.255.0

ip address outside 213.249.x.x 255.255.255.248

ip address inside 10.1.x.x 255.255.255.0

global (outside) 2 213.249.x.x

global (outside) 1 interface

nat (inside) 2 access-list nat_to_customer 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 213.249.x.x 1

sysopt connection permit-ipsec

crypto ipsec transform-set esp-3des esp-md5-hmac

crypto map testmap 1 ipsec-isakmp

crypto map testmap 1 match address crypto_map_customer

crypto map testmap 1 set peer 81.155.x.x

crypto map testmap 1 set transform-set

crypto map testmap interface outside

isakmp enable outside

isakmp key address 81.155.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

I have seperate IP address allocated to my outside interface for the PIX - from the same IP range, as I have 10 public IP address to play with.

Can you confirm for me if this looks good - this is my first go on setting up VPN tunnel!

Wait to hear from you.

Jon Marshall · ‎01-03-2007

Looks okay to me.

Basically you are allowing one IP address (10.1.1.100) to access the remote 195.172.x.0/24 and Natting that client to 213.249.x.x

Have yout tried connecting yet ?

OHITS-OPS · ‎01-03-2007

Thanks for the sanity check Jon - All working!!