https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210495#M34852 <P>Drop UDP 4500 from the other peer IP. Only allow ESP and ike500.</P> <P>NAT-t is most of the time started by the other side. In older versions Check Point only accepts and do not send.</P> <P>Newer version depends on config (is global setting)</P> <P>You can only as far as I know disable it on global level.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Apr 2024 20:35:12 GMT Lesley 2024-04-04T20:35:12Z https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210483#M34846 <P>Hello, I need to disable NAT-T for a single S2S VPN, because if I disable it on the gateway object, the mobile blade does not work and remote users are affected. That means:</P><P>NAT-T enabled: Remote Users OK. - S2S VPN fails.</P><P>NAT-T disabled: Remote Users fail. - S2S VPN OK.</P><P>The VPN community settings does not allow to disable it for that particular community.</P><P>Is there something I'm missing? Thanks for the help.</P> Thu, 04 Apr 2024 19:19:44 GMT https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210483#M34846 hcampuzano 2024-04-04T19:19:44Z https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210495#M34852 <P>Drop UDP 4500 from the other peer IP. Only allow ESP and ike500.</P> <P>NAT-t is most of the time started by the other side. In older versions Check Point only accepts and do not send.</P> <P>Newer version depends on config (is global setting)</P> <P>You can only as far as I know disable it on global level.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Apr 2024 20:35:12 GMT https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210495#M34852 Lesley 2024-04-04T20:35:12Z https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210501#M34855 <P>You can't modify how NAT-T behaves at the VPN Community level, but you can do it at the object level and all this would apply for your gateways, externally managed gateways, and interoperable devices.&nbsp; So what you could try is modifying these GUIdbedit properties on the object representing the peer gateway on the other side of the tunnel, or you may be able to adjust these on your own gateway object without breaking RAS VPN, the last one in the list in particular.&nbsp; &nbsp;The default values for R81.20 are shown:</P> <UL> <LI><STRONG>force_nat_t</STRONG>&nbsp;&nbsp;boolean&nbsp; false&nbsp; "force the GW to use NAT traversal (port 4500)"</LI> <LI><STRONG>ike_support_nat_t</STRONG>&nbsp; boolean&nbsp; true "Support NAT Traversal (port 4500)"</LI> <LI><STRONG>offer_nat_t_initiator</STRONG>&nbsp; &nbsp;boolean&nbsp; false&nbsp; "Send NAT-T VID (for Initiator GW)</LI> <LI><STRONG>offer_nat_t_responder_for_known_gw</STRONG>&nbsp; &nbsp;boolean&nbsp; true&nbsp; "Accept NAT_T connections from known GWs and send NAT-T vendor id (for Responder GW)"</LI> </UL> Thu, 04 Apr 2024 21:17:30 GMT https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/210501#M34855 Timothy_Hall 2024-04-04T21:17:30Z https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/211366#M35059 <P>I think is allowed by implicit rules... if so, fw accel dos rule is needed, or also a fake nat rule it should work</P> Tue, 16 Apr 2024 08:38:01 GMT https://community.checkpoint.com/t5/General-Topics/Disable-NAT-T-for-a-single-Site-to-Site-VPN/m-p/211366#M35059 CheckPointerXL 2024-04-16T08:38:01Z