https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18258#M3262 <HTML><HEAD></HEAD><BODY><P>Hello,&nbsp;</P><P>sorry for my late answer.</P><P>The problem has been solved ... it was not an Check Point issue, it was a misconfiguration of a third party VPN appliance ...&nbsp;<BR />but the IT company of this third party devices insisted until the very last minute that everything is ok on their end. <BR />(they used IPsec in aggressive mode + psk instead of NAT-T with certificates)&nbsp;<BR />At the end it was the Check Point appliance worked like a charm.</P><P></P><P>best regards<BR />Thomas.</P></BODY></HTML> Mon, 18 Feb 2019 14:46:07 GMT Thomas_Eichelbu 2019-02-18T14:46:07Z https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18256#M3260 <HTML><HEAD></HEAD><BODY><P>Hello Checkmates, </P><P>maybe an eays question:</P><P></P><P>I&nbsp;have a customer with several&nbsp;Check Point 5200 on R80.10 Take 121.<BR />in generall an easy standard setup.</P><P><BR />but for remote access of some industrial systems the customer has several other Check Point appliance places behind the the firewalls on&nbsp; the nternal networks.</P><P></P><P>then we discoverd that initiating an IPsec Tunnel (NAT-T)&nbsp;from inside to the external peer was not succesfull.<BR />we did a NAT using the Main IP of the firewall object. ... <BR />could this be a problem?<BR />is it better to have ONE different NAT IP for all internal VPN appliances</P><P>or</P><P>should i use ONE dedicated&nbsp;IP for each VPN appliance?</P><P></P><P>i did the made a dediacated&nbsp;Hide NAT Rule for every single VPN appliance ... now iam waiting for results from the customer ...</P><P></P><P>in tcpdup i saw:</P><P></P><P></P><P>09:11:48.069849 IP 10.2.125.14.4500 &gt; X:X:X.57.4500: isakmp-nat-keep-alive<BR />09:11:48.070074 IP 10.2.125.14.4500 &gt; X:X:X.57.4500: isakmp-nat-keep-alive<BR />09:11:52.075466 IP 10.2.125.14.4500 &gt; X:X:X.57.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]<BR />09:11:52.866336 IP 10.2.125.14.123 &gt; X.X.X.76.123: NTPv3, Client, length 48<BR />09:11:56.956663 IP 10.2.125.14.4500 &gt; X:X:X.57.4500: UDP-encap: ESP(spi=0xcf615dfa,seq=0xac), length 148<BR />09:12:08.086248 IP 10.2.125.14.4500 &gt; X:X:X.57.4500: isakmp-nat-keep-alive<BR />09:12:08.086481 IP 10.2.125.14.4500 &gt; X:X:X.57.4500: isakmp-nat-keep-alive</P><P></P><P>in SmartLog&nbsp; i see a log IKE packets, sometimes some IKE_NAT_TRAVERAL.<BR /><BR />so what would u suggest:<BR />NAT with ONE outoging public IP for all appliances<BR />ONE public NAT&nbsp;IP for each VPN appliance ...<BR /><BR />so still the customer didnt told me if it works ... we will see.</P><P></P><P>best regards<BR />Thomas.</P></BODY></HTML> Wed, 19 Dec 2018 15:42:22 GMT https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18256#M3260 Thomas_Eichelbu 2018-12-19T15:42:22Z https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18257#M3261 <HTML><HEAD></HEAD><BODY><P>The whole purpose of NAT traversal is to work with HIDE NAT, so this should not be required.</P><P>What is performing the VPN in this case? (both endpoints)</P></BODY></HTML> Wed, 19 Dec 2018 19:40:40 GMT https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18257#M3261 PhoneBoy 2018-12-19T19:40:40Z https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18258#M3262 <HTML><HEAD></HEAD><BODY><P>Hello,&nbsp;</P><P>sorry for my late answer.</P><P>The problem has been solved ... it was not an Check Point issue, it was a misconfiguration of a third party VPN appliance ...&nbsp;<BR />but the IT company of this third party devices insisted until the very last minute that everything is ok on their end. <BR />(they used IPsec in aggressive mode + psk instead of NAT-T with certificates)&nbsp;<BR />At the end it was the Check Point appliance worked like a charm.</P><P></P><P>best regards<BR />Thomas.</P></BODY></HTML> Mon, 18 Feb 2019 14:46:07 GMT https://community.checkpoint.com/t5/General-Topics/Best-practive-NAT-T-Device-behind-Check-Point-Appliance/m-p/18258#M3262 Thomas_Eichelbu 2019-02-18T14:46:07Z