https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/55983#M2938 <P>We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.</P><P>The FW1 is a cluster and has two gateways in it. IP of gateway 1 is 10.10.10.4, IP of gateway 2 is 10.10.10.5 and IP of Cluster is 10.10.10.6. Gateway 1 is active</P><P>The tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.</P><P>We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.</P><P>The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2</P><P>In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from 10.10.10.4 to 10.10.10.6 the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1</P><P>[vs_0][fw_0] eth0:o[180]: X.X.X.X -&gt; 10.10.10.6 (UDP) len=180 id=20396<BR />UDP: 500 -&gt; 500<BR />[vs_0][fw_0] eth0:o[180]: 10.10.10.4 -&gt; X.X.X.X (UDP) len=180 id=10087<BR />UDP: 500 -&gt; 500<BR />[vs_0][fw_0] eth0:O[180]: 10.10.10.6 -&gt; X.X.X.X (UDP) len=180 id=10087<BR />UDP: 12410 -&gt; 500</P><P>&nbsp;</P><P>&nbsp;</P><P>Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.</P> Mon, 17 Jun 2019 16:09:48 GMT Krishna 2019-06-17T16:09:48Z https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/55983#M2938 <P>We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.</P><P>The FW1 is a cluster and has two gateways in it. IP of gateway 1 is 10.10.10.4, IP of gateway 2 is 10.10.10.5 and IP of Cluster is 10.10.10.6. Gateway 1 is active</P><P>The tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.</P><P>We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.</P><P>The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2</P><P>In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from 10.10.10.4 to 10.10.10.6 the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1</P><P>[vs_0][fw_0] eth0:o[180]: X.X.X.X -&gt; 10.10.10.6 (UDP) len=180 id=20396<BR />UDP: 500 -&gt; 500<BR />[vs_0][fw_0] eth0:o[180]: 10.10.10.4 -&gt; X.X.X.X (UDP) len=180 id=10087<BR />UDP: 500 -&gt; 500<BR />[vs_0][fw_0] eth0:O[180]: 10.10.10.6 -&gt; X.X.X.X (UDP) len=180 id=10087<BR />UDP: 12410 -&gt; 500</P><P>&nbsp;</P><P>&nbsp;</P><P>Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.</P> Mon, 17 Jun 2019 16:09:48 GMT https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/55983#M2938 Krishna 2019-06-17T16:09:48Z https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/56013#M2939 Curious what evidence you have to suggest this change of port is causing the issue?<BR />What do logs or VPN debugs say? Tue, 18 Jun 2019 04:39:35 GMT https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/56013#M2939 PhoneBoy 2019-06-18T04:39:35Z https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/56017#M2940 The Phase 1 packets for the tunnel is exchanged between ports 500 or 4500 on both the ends, as the port is getting changed the other than these two , other end firewall will ignore/ drop the phase 1 traffic. Tue, 18 Jun 2019 05:40:29 GMT https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/56017#M2940 Krishna 2019-06-18T05:40:29Z https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/58244#M2941 The issue got resolved after no NAT rule is created for the cluster IP. Below is the no NAT rule added.<BR /><BR />Original Source: Cluster IP.<BR />Original Destination : Any<BR />Original port: IKE<BR /><BR />Translated Source: Cluster IP<BR />Translated destination : Original<BR />Translated Port : Original<BR /> Mon, 15 Jul 2019 09:56:19 GMT https://community.checkpoint.com/t5/Cloud-Firewall/The-NAT-issue-on-CP-firewall-deployed-in-the-Azure/m-p/58244#M2941 Krishna 2019-07-15T09:56:19Z