Very simple...in you encyption domain use the translated address ....such as 172.19.19.x (host translated address). If you both are using 10.x.x.x in your internal networks. In your security policy use both ,original and translated address.
Best pratice is to use single hosts instead of networks in both encryption domain (yours and the remote side) especially when the other side is a Cisco Pix. Also Disable SUPERNETTING on the Checkpoint side, Checkpoint loves to combine networks into a supernet assuming (wrongly, I may add) that the remote side is always another Checkpoint device. On the remote side make sure it has defined the 172.19.19.x as the hosts for your Checkpoint VPN. And ....the Cisco Pix side has to static translate each internal host (that need to be part of the VPN) as 172.19.19.x. (this is just an example, you can use any networks within 172.16.x.x thru 172.31.x.x range or 192.168.x.x range in the IANA reserved nets). I hope this will help ----- Original Message ---- From: Sascha Picchiantano <[EMAIL PROTECTED]> To: [email protected] Sent: Sunday, April 15, 2007 10:36:08 AM Subject: [FW-1] Another VPN and NAT question Hi, closely related to the other question I asked a couple of days ago, I was just thinking about how to configure a site-to-site VPN if the remote peer uses IP addresses that I already use in another VPN. I guess I could just NAT his address range to whatever I like and I can work with, but what I can't figure out is what I would put into the encryption domain of the remote end's gateway object. His original addresses or the NAT addresses I defined? I figure that if I use the original addressses, it might not work because I already have these addresses in another encryption domain and VPN-1 could not decide which VPN to use...? But if I use the NAT addresses, wouldn't I see tons of "no valid SA" entries in my log because within the VPN tunnel the IP addresses are different than those in the enc domain...? Confusing. Hope my thoughts make sense to you and you can give me some enlightment :) Cheers Sascha ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
