topic Re: Nat rule over tunnel/community in Firewall and Security Management

Nat rule over tunnel/community

PIAndre — Wed, 10 Apr 2019 20:04:02 GMT

Hi. Im trying to redirect traffic going out a gateway. I want to change the traffic flow from:

host_a (port 443) -> checkpoint_gateway -> internet -> public ip on host_b

to:

host_a (port 443) -> checkpoint_gateway -> nat from public ip on host_b to private ip on host_b -> s2s ipsec tunnel -> private ip on host_b

The tunnel works fine for normal traffic flow over the tunnel and all the security domains are defined properly. There are rules in the policy that the traffic should hit to go over the tunnel. When I try to create a nat rule to change the public ip to the private ip of host_b the traffic is allowed and I see the translation but It doesnt get encrypted. Its also skipping my tunnel rule and hitting my default outbound rule at the bottom. What am I missing in my nat rule to get this traffic flow working?

Re: Nat rule over tunnel/community

PhoneBoy — Wed, 10 Apr 2019 21:00:40 GMT

Is the Public IP included in your encryption domain for the remote site?

Re: Nat rule over tunnel/community

Maarten_Sjouw — Wed, 10 Apr 2019 21:52:17 GMT

You need to make sure that the Public ip host_b and translated IP for Host_b is part of the remote VPN domain.
NAT finds place as one of the last parts in the outbound chain and this traffic should already be seen as traffic to send to the other side of the tunnel before that NAT takes place.

Re: Nat rule over tunnel/community

PIAndre — Thu, 11 Apr 2019 18:31:38 GMT

I just tested with one host behind the gateway. So the nat rule looks like this:

original source - test_host

original destination - public ip on host_b

original services - any

translated source - original

translated destination - private ip on host_b

translated services - original

install on - checkpoint_gateway

I see the traffic getting encrypted but the nat isnt getting applied. Anything else im missing?

Re: Nat rule over tunnel/community

PhoneBoy — Thu, 11 Apr 2019 21:25:46 GMT

There's an option to disable NAT in the VPN Community--see if that's set.

Re: Nat rule over tunnel/community

PIAndre — Thu, 11 Apr 2019 22:37:42 GMT

That did it. Had that box checked and unchecked it. Thanks.

Re: Nat rule over tunnel/community

Anjan — Thu, 10 Jul 2025 08:16:22 GMT

has the issue resolved after doing this changes?

Re: Nat rule over tunnel/community

_Val_ — Thu, 10 Jul 2025 11:58:08 GMT

Yes, as it clearly indicated by the Solution marked on the recommendation.