topic Re: NAT in a VPN tunnel in General Topics

NAT in a VPN tunnel

Romaryo — Sun, 16 Nov 2025 16:40:56 GMT

Hi everyone,

I have a question about NAT in a VPN tunnel. So far I don’t have any experience with this in a Check Point environment.

Current situation: There is already an existing VPN tunnel, and we want to make a server on our side available to the remote side, but have it hidden behind a different IP address using NAT.

How should the NAT rule be configured in Check Point for this? And what happens first: the decryption of the VPN traffic or the NAT processing?

Remote Server -> Remote GW — VPN Tunnel—> CP GW -> local Server

NAT Rule:

Thanks in advance!

best regards,

Roman

Re: NAT in a VPN tunnel

the_rock — Sun, 16 Nov 2025 17:02:13 GMT

Hey Roman,

Technically, decryption will happen first, then NAT, Make sure to enable nat inside vpn community if its needed. Rule itself may look like below:

Original packet:

Src: Remote network (or “Any” if you prefer)
Dst: NAT IP (the external-looking IP you want the remote side to hit)
Port: 443 (or any port)

Translated:

Translated Source: Original
Translated Destination: Real internal server IP
Translated Service: original (or mapped to 443 if different)

Example:

Original Src	Original Dst	Service	Xlated Src	Xlated Dst	Xlated Svc
Remote LAN	10.10.10.10 (NAT IP)	443	Original	192.168.50.20 (Real server)	443

Re: NAT in a VPN tunnel

Romaryo — Sun, 16 Nov 2025 18:22:33 GMT

Hi Andy!

Thank you for the very detailed reply! I’ll try to set it up and test it tomorrow.

best regards,

Roman

Re: NAT in a VPN tunnel

the_rock — Sun, 16 Nov 2025 18:37:10 GMT

Great! Message me directly if you are allowed to do remote, we can use zoom, I use my free account for that, since teams has lots of restrictions these days.

Re: NAT in a VPN tunnel

Romaryo — Tue, 18 Nov 2025 07:07:50 GMT

Hi Andy! Ok, thanks for your offer! We have a technical meeting with the application developers today – they need to explain to us in detail the technical requirements and what exactly they need from the tunnel. I’ll get back to you 🙂

best regards,

Roman

Re: NAT in a VPN tunnel

the_rock — Tue, 18 Nov 2025 11:27:20 GMT

Sounds good.

Re: NAT in a VPN tunnel

Lesley — Tue, 18 Nov 2025 20:48:06 GMT

Extra tip for encryption domains, make sure you add real ip and nat ip that is assigned to your network in your local encryption domain. Add remote NAT ip range to remote peer encryption domain. (depends if remote peer also is natting)

what the the_rock states is true, other way around is first NAT then encryption (from local to remote peer)

Re: NAT in a VPN tunnel

the_rock — Tue, 18 Nov 2025 22:04:33 GMT

Yes sir! Definitely always a good idea to add natted IP in vpn domain as well.

Re: NAT in a VPN tunnel

the_rock — Wed, 19 Nov 2025 02:02:55 GMT

In case debug is needed, below is easiest:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Look for iked* and vpnd* files in $FWDIR/log dir

Re: NAT in a VPN tunnel

Romaryo — Wed, 19 Nov 2025 05:37:43 GMT

Hi @Lesley Ok, this is roughly how I imagined it. I’m waiting for confirmation from the DevOps team and then I will test it. Many thanks for your tip.

best regards,

Roman

Re: NAT in a VPN tunnel

Romaryo — Wed, 14 Jan 2026 09:27:48 GMT

Hi!
Thank you very much for your support!
Our application developers have finally tested the tunnel.
Everything worked well, and I learned something new.
Thanks!

Re: NAT in a VPN tunnel

the_rock — Wed, 14 Jan 2026 12:02:20 GMT

Glad you got it working.