https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/240999#M46744 <P>Hi,</P><P>customer has a S2S VPN from the office Check Point to Azure.</P><P>They are able access all their servers hosted in Azure via the VPN.</P><P>Now they want to access an Azure web server from the Internet but via the office CP.&nbsp;</P><P>&nbsp;</P><P>I have implemented the following:</P><P>1. Added a rule allowing Internet access to the web server public IP (https)</P><P>2. Added a source and destination NAT rule&nbsp;</P><P>&nbsp; &nbsp; where&nbsp;</P><P>&nbsp; &nbsp; original source - Internet</P><P>&nbsp; &nbsp; original destination - 196.x.x.x</P><P>&nbsp; &nbsp; translated source - 172.30.x.x&nbsp; (internal IP)</P><P>&nbsp; &nbsp; translated destination - 192.168.x.x&nbsp;</P><P>3. Added the public IP to the Azure VPN domain</P><P>4. Internal IP included the CP gateway VPN domain</P><P>5. Changed VPN routing to "To center or through the center&nbsp; to other satellites, to Internet and other VPN targets"</P><P>&nbsp;</P><P>Logs show the traffic being "Encrypted in the community" and the relevant NAT rule applied.</P><P>However we can't access the web site.</P><P>tcpdump and fw monitor do not capture anything for the translated source or translated destination IPs.&nbsp;</P><P>&nbsp;</P><P>I suspect that the traffic does not traverse the VPN, maybe because not being translated?</P><P>fw monitor does show this for my IP, from what I understand the NAT should have taken place before the "Post-Outbound VM"</P><P>[vs_0][ppak_0] eth1:Oe[44]: 41.160.x.x -&gt; 196.x.x.x (TCP) len=52 id=51573<BR />TCP: 56844 -&gt; 80 .S.... seq=106564e8 ack=0000000</P><P>Am I missing any configs?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp; &nbsp;&nbsp;</P><P>&nbsp;</P> Wed, 12 Feb 2025 09:02:11 GMT Mark_Edwards 2025-02-12T09:02:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/240999#M46744 <P>Hi,</P><P>customer has a S2S VPN from the office Check Point to Azure.</P><P>They are able access all their servers hosted in Azure via the VPN.</P><P>Now they want to access an Azure web server from the Internet but via the office CP.&nbsp;</P><P>&nbsp;</P><P>I have implemented the following:</P><P>1. Added a rule allowing Internet access to the web server public IP (https)</P><P>2. Added a source and destination NAT rule&nbsp;</P><P>&nbsp; &nbsp; where&nbsp;</P><P>&nbsp; &nbsp; original source - Internet</P><P>&nbsp; &nbsp; original destination - 196.x.x.x</P><P>&nbsp; &nbsp; translated source - 172.30.x.x&nbsp; (internal IP)</P><P>&nbsp; &nbsp; translated destination - 192.168.x.x&nbsp;</P><P>3. Added the public IP to the Azure VPN domain</P><P>4. Internal IP included the CP gateway VPN domain</P><P>5. Changed VPN routing to "To center or through the center&nbsp; to other satellites, to Internet and other VPN targets"</P><P>&nbsp;</P><P>Logs show the traffic being "Encrypted in the community" and the relevant NAT rule applied.</P><P>However we can't access the web site.</P><P>tcpdump and fw monitor do not capture anything for the translated source or translated destination IPs.&nbsp;</P><P>&nbsp;</P><P>I suspect that the traffic does not traverse the VPN, maybe because not being translated?</P><P>fw monitor does show this for my IP, from what I understand the NAT should have taken place before the "Post-Outbound VM"</P><P>[vs_0][ppak_0] eth1:Oe[44]: 41.160.x.x -&gt; 196.x.x.x (TCP) len=52 id=51573<BR />TCP: 56844 -&gt; 80 .S.... seq=106564e8 ack=0000000</P><P>Am I missing any configs?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp; &nbsp;&nbsp;</P><P>&nbsp;</P> Wed, 12 Feb 2025 09:02:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/240999#M46744 Mark_Edwards 2025-02-12T09:02:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/241252#M46800 <P>Why route traffic for a cloud-hosted resource through an on-premise gateway?</P> <P>Only traffic that originates from the encryption domain BEFORE NAT will be encrypted.<BR />The only way I could see this working is with a route-based VPN where your local encryption domain is NULL.<BR />If you're using a Domain-Based VPN, this is not likely to ever work.&nbsp;</P> Fri, 14 Feb 2025 21:55:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/241252#M46800 PhoneBoy 2025-02-14T21:55:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/241926#M46988 <P>Hi,</P><P>They don't have any security in Azure apart from security groups.</P><P>We managed to get it working by adding the on-premise public IP to the Azure encryption domain, unchecking disable NAT in the VPN community and adding manual NAT rules.</P> Fri, 21 Feb 2025 11:10:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/access-to-azure-web-server-via-office-CP-and-s2s-VPN/m-p/241926#M46988 Mark_Edwards 2025-02-21T11:10:08Z