https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21813#M95718 <HTML><HEAD></HEAD><BODY><P>Hi,&nbsp; I checked with support and Domain based VPN does not work when the encryption domains overlap.</P></BODY></HTML> Wed, 06 Jun 2018 11:33:52 GMT Michael_Horne 2018-06-06T11:33:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21808#M95713 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I am having trouble getting a destination NAT working for a VPN connection working.&nbsp; I am sure it is a simple issue, but I have been banging my head against the wall with it for a couple of days.</P><P></P><P>I have a domain based VPN for a site to site VPN. The VPN doman is configured and working as I can bring up the VPN for some other connections that are not using destination NAT. The Interoperable Device is configure with a VPN Domain that includes the "real" and "NAT IP":</P><P></P><P>Remote &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Local<BR />192.168.2.10/32 10.0.0.0/8<BR />10.191.34.10/32 10.0.0.0/8</P><P></P><P>The Access Policy is configure for testing to match from a host HTTP traffic with the VPN configured:</P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/65388_Policy.PNG" /></P><P>The NAT Policy is configured for a destination NAT from NAT_Server (192.168.2.10) to the H_Server (10.191.34.10)</P><P><IMG alt="" class="image-2 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/65389_NAT.PNG" /></P><P>My understanding is that this should map the NAT_Server (192.168.2.10) to the H_Server (10.191.34.10).&nbsp; This does appear to work as I see with "fw monitor" the traffic arriving on the firewall on the expected eth1 and trying to leave on the expected eth3:</P><P></P><P><IMG alt="" class="image-3 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/65390_Monitor.PNG" /></P><P>The problem is that the packet stops on the outbound chain "o".&nbsp; In the log files I see the message about encryption failure: Different community ID, possible NAT problem (VPN Error code 01)</P><P></P><P><IMG alt="" class="image-4 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/65392_Log.PNG" /></P><P>If someone is able to guide me in the right direction to solve this, it would be much appreciated.</P><P></P><P>Many thanks,</P></BODY></HTML> Mon, 07 May 2018 10:20:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21808#M95713 Michael_Horne 2018-05-07T10:20:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21809#M95714 <HTML><HEAD></HEAD><BODY><P>Looks like the issue from <EM><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk25867&amp;partition=Advanced&amp;product=IPSec">sk25867 "Different community ID, possible NAT problem (VPN Error code 02)" error on packet drop</A></EM></P><P></P><P>There is also <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec"><EM>sk108600 VPN Site-to-Site with 3rd party</EM></A>&nbsp; that may help...</P></BODY></HTML> Mon, 07 May 2018 12:22:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21809#M95714 G_W_Albrecht 2018-05-07T12:22:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21810#M95715 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I have been through many SKs, recently, but I will check them out.&nbsp; I believe I have not looked at sk108600 yet.</P></BODY></HTML> Mon, 07 May 2018 12:30:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21810#M95715 Michael_Horne 2018-05-07T12:30:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21811#M95716 <HTML><HEAD></HEAD><BODY><P>sk108600 is very helpfull for VPN with 3rd Party GWs.</P></BODY></HTML> Mon, 07 May 2018 12:47:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21811#M95716 G_W_Albrecht 2018-05-07T12:47:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21812#M95717 <HTML><HEAD></HEAD><BODY><P>Were you able to resolve the issue yet ?</P></BODY></HTML> Wed, 06 Jun 2018 10:54:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21812#M95717 G_W_Albrecht 2018-06-06T10:54:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21813#M95718 <HTML><HEAD></HEAD><BODY><P>Hi,&nbsp; I checked with support and Domain based VPN does not work when the encryption domains overlap.</P></BODY></HTML> Wed, 06 Jun 2018 11:33:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21813#M95718 Michael_Horne 2018-06-06T11:33:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21814#M95719 <HTML><HEAD></HEAD><BODY><P>That is certainly true <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Wed, 06 Jun 2018 12:10:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-connection-with-Destination-NAT-not-working/m-p/21814#M95719 G_W_Albrecht 2018-06-06T12:10:33Z