# ZyWall 35 to Checkpoint FW-1 VPN problem



## MartinFa (Feb 2, 2009)

I'm trying to set up site-to-site VPN from our ZyWall 35 to a customer's Checkpoint. One of the conditions is that we may only use/present public IP addresses through the tunnel as neither has any control over what subnet addresses are in use at the opposite end.

We have 2 servers on our LAN that I want to provide access to our customer to. I have public IP addresses for each of these.

They have provided me with a couple of (public) IP address ranges to configure.

We have exchanged pre-shared key information and all the other phase 1 and phase 2 settings and - by all accounts, looking at the ZyWall logs - it seems that the tunnel has been established.

However, I'm not able to succesfully ping or telnet to any IP address they have given me. In the ZyWall log, I can see the ping being routed through the tunnel, but at the customer end, they don't see the ping being received. When try to telnet, it fails to connect, though they do see the request coming through at their end being accepted by their firewall.

In order to present only public IP addresses through the VPN tunnel, I have set up a many-to-one virtual address mapping at our end - a kind of NAT over VPN, from what I understand. This means that whatever client computer at our end initiates the traffic, it will be mapped to a single public ip address before being sent out. Certainly the customer sees the requests coming from that single public ip address.

I have no idea what steps to take next to try to get this working  If anyone has any thoughts at all, I'd be very grateful to hear them.

And that's only half the problem! We have yet to attempt a connection to our servers initiated from their end. I don't see on the ZyWall how to map a public address coming in from the tunnel to a local LAN ip address.


----------

