https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130230#M23700 <P>FYI, "Take 294" isn't a valid JHF level, I believe you can get that from cpinfo -y.</P> <P>Obviously, the VPN is working, so you don't need NAT rules specifically for that.<BR />But clearly the traffic is not getting to the Internet and NAT is the likely issue.<BR />Have you done a tcpdump on the Internet-facing interface to see if the traffic is actually being translated?</P> <P>What are the precise NAT rules you have configured?<BR />I presume one of them is a HIDE NAT rule where you are hiding behind the gateway/cluster.<BR />What is the precise IP address of that object?<BR />If it's a private IP address (versus the elastic IP), that's probably why it's not working.&nbsp;</P> Fri, 24 Sep 2021 22:45:47 GMT PhoneBoy 2021-09-24T22:45:47Z https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/129871#M23650 <DIV class="lmt__inner_textarea_container">Hello everyone,</DIV><DIV class="lmt__inner_textarea_container">&nbsp;</DIV><DIV class="lmt__inner_textarea_container">I have a VPN Site to Site tunnel between AWS and CKP, the tunnel works correctly with traffic between both subnets, the problem comes when trying to get the AWS machines to go out to the internet through CKP, I can't ping 8.8.8.8.8 for example, the trace stays on the private IP of the point to point adapter (169.254.72.110).</DIV><DIV class="lmt__inner_textarea_container">&nbsp;</DIV><DIV class="lmt__inner_textarea_container">I have made the configurations as indicated in the guide, it is a static route VPN, in AWS I indicate that everything (0.0.0.0/0) goes through the virtual gateway of the VPN, as I indicate the tunnel works correctly since it does not have falls and in the case of internal traffic there is no problem.</DIV><DIV class="lmt__inner_textarea_container">&nbsp;</DIV><DIV class="lmt__inner_textarea_container">Does anyone know where the error could be?</DIV> Tue, 21 Sep 2021 16:39:14 GMT https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/129871#M23650 jasr_eiffage 2021-09-21T16:39:14Z https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130104#M23673 <P>Which precise guide did you follow?<BR />What precise version/JHF?<BR />Did you create any NAT rules for the Internet-bound traffic?<BR />I'm pretty sure you need to do this.&nbsp;</P> Thu, 23 Sep 2021 19:50:27 GMT https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130104#M23673 PhoneBoy 2021-09-23T19:50:27Z https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130154#M23678 <P>Hi,</P><P>&nbsp;</P><P>This guide:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100726" target="_blank">How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes</A></P><P>Actually: R80.40 take 294</P><P>The NAT rules I have are the normal outgoing rules to the internet of the rest of the networks that pass through the CKP, would it be necessary to make a specific rule for the VPN?</P> Fri, 24 Sep 2021 10:46:40 GMT https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130154#M23678 jasr_eiffage 2021-09-24T10:46:40Z https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130230#M23700 <P>FYI, "Take 294" isn't a valid JHF level, I believe you can get that from cpinfo -y.</P> <P>Obviously, the VPN is working, so you don't need NAT rules specifically for that.<BR />But clearly the traffic is not getting to the Internet and NAT is the likely issue.<BR />Have you done a tcpdump on the Internet-facing interface to see if the traffic is actually being translated?</P> <P>What are the precise NAT rules you have configured?<BR />I presume one of them is a HIDE NAT rule where you are hiding behind the gateway/cluster.<BR />What is the precise IP address of that object?<BR />If it's a private IP address (versus the elastic IP), that's probably why it's not working.&nbsp;</P> Fri, 24 Sep 2021 22:45:47 GMT https://community.checkpoint.com/t5/General-Topics/AWS-VPN-use-Checkpoint-like-a-Gateway-to-internet/m-p/130230#M23700 PhoneBoy 2021-09-24T22:45:47Z