https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238917#M46342 <P>Hi,</P><P>We have a new service provider that we're connected to and their GW is 172.16.0.1/29, on their end they forward all the public network traffic (/28) to the Checkpoint VIP(172.16.0.2/29) and we perform all NAT on our end.</P><P>We have hide behind NAT configured on our network objects and that's all working great but the IKE traffic is generated by the gateway itself so it's not getting NAT translation so the provider sees the VIP address and can't route it.</P><P>Is there a way to NAT the Gateway itself so IKE appears as a NAT address instead of the 172.16.0.2/29 private interface VIP?</P><P>Any thoughts how this can be accomplished?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Jan 2025 13:51:37 GMT asaivephac 2025-01-17T13:51:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238917#M46342 <P>Hi,</P><P>We have a new service provider that we're connected to and their GW is 172.16.0.1/29, on their end they forward all the public network traffic (/28) to the Checkpoint VIP(172.16.0.2/29) and we perform all NAT on our end.</P><P>We have hide behind NAT configured on our network objects and that's all working great but the IKE traffic is generated by the gateway itself so it's not getting NAT translation so the provider sees the VIP address and can't route it.</P><P>Is there a way to NAT the Gateway itself so IKE appears as a NAT address instead of the 172.16.0.2/29 private interface VIP?</P><P>Any thoughts how this can be accomplished?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Jan 2025 13:51:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238917#M46342 asaivephac 2025-01-17T13:51:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238924#M46344 <P>Which device has a public IP-address?</P><P>NAT-T should take care of IKE with NAT.</P> Fri, 17 Jan 2025 14:33:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238924#M46344 AlekzNet 2025-01-17T14:33:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238925#M46345 <P>The provider FW has public IP-address and has a rule to forward everything to our VIP and we manage our own NAT translation.</P><P>If I were to put a manual NAT-t entry for (CP VIP) 172.16.10.2 &gt; NAT, would the ipsec tunnel use the nat address? I'm not sure if Nat-T is before or after VPN.</P> Fri, 17 Jan 2025 14:46:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-on-gateway-itself-for-IKE-traffic/m-p/238925#M46345 asaivephac 2025-01-17T14:46:43Z