topic Re: Cisco Router NAT translations in General Topics

Cisco Router NAT translations

SriNarasimha005 — Sun, 01 Feb 2026 17:37:55 GMT

Hi There,

We are in the process of replacing the Cisco router (R2) with a Check Point firewall and have attached the topology.

Since Smart move supports only ASA/FTD, I'd like to understand the VPN domain/NAT and need some help please😊

Below are the NAT translations on R2.

R2# ip nat inside source static 10.219.24.3 192.168.85.25

R2# ip nat outside source static 192.168.88.4 10.14.11.6

R2# ip route 10.14.11.6 255.255.255.255 192.168.1.1

ip access-list extended VPN_ACL
permit ip host 192.168.85.25 host 192.168.88.4

1. How should I configure the equivalent NAT in checkpoint?

Static NAT:

Each rule for Source

Original Source: 10.219.24.3
Original Destination: Any
Original Services: Any
Translated Source: 192.168.85.25
Translated Destination: original
Translated Services: original

Each rule for Destination

Original Source: Any
Original Destination: 192.168.88.4
Original Services: Any
Translated Source: original
Translated Destination: 10.14.11.6
Translated Services: original

Manual NAT:-

Original Source: 10.219.24.3
Original Destination: 192.168.88.4
Original Services: Any
Translated Source: 192.168.85.25
Translated Destination: 10.14.11.6
Translated Services: original

2. I believe the below one should be the encryption domain in CP. Is that correct?

Local Encryption Domain: 192.168.85.25/32
Remote Encryption Domain: 192.168.88.4/32

Re: Cisco Router NAT translations

the_rock — Sun, 01 Feb 2026 18:02:11 GMT

Thats what it would appear to be, yes. if natting is involved, those IPs would also need to be in vpn domain as well.

Re: Cisco Router NAT translations

SriNarasimha005 — Sun, 01 Feb 2026 18:10:44 GMT

Hi @the_rock

Thanks for your reply.

1. Can you please confirm on the NAT statements on how it should be? Is it a Static NAT for each and every statement or can it be combined into a Manual NAT?

2. I believe the Pre-NAT IP should be in the VPN domain. If I add NAT IP's also in the VPN domain, will it cause phase-2 to drop due to mismatch in the "Interesting ACL" between Cisco Router and CP?

Re: Cisco Router NAT translations

the_rock — Sun, 01 Feb 2026 18:13:30 GMT

1) You just create manual nat rule in nat policy -> exactly how you described it

2) yes, you add natted IPs as well, because technically, it would be part of vpn domain. I dont see an issue with mismatch, since those would be part of the vpn tunnel as well.

Re: Cisco Router NAT translations

the_rock — Mon, 02 Feb 2026 03:13:00 GMT

I assume this is domain based tunnel?

Re: Cisco Router NAT translations

SriNarasimha005 — Mon, 02 Feb 2026 11:57:25 GMT

Hi @the_rock

Yes, this is a domain-based tunnel as the peer device- Cisco router uses ACL under crypto map.

I'd like to get this clarified on the NAT again 😊

The below statements are configured on the R2 router. Since these are Interface based in Cisco routers, can you please let me know if the Manual NAT to be configured uni-directionally or it needs to be combined into a single NAT statement?

R2# ip nat inside source static 10.219.24.3 192.168.85.25

R2# ip nat outside source static 192.168.88.4 10.14.11.6

Re: Cisco Router NAT translations

the_rock — Mon, 02 Feb 2026 12:04:39 GMT

Just create 2 separate nat rules.

Re: Cisco Router NAT translations

Vincent_Bacher — Mon, 02 Feb 2026 12:06:23 GMT

On the Check Point side you need two NAT rules (one Source NAT, one Destination NAT) plus the corresponding Access Control (firewall) rules to allow the traffic.

Re: Cisco Router NAT translations

SriNarasimha005 — Mon, 02 Feb 2026 16:22:00 GMT

Hi @Vincent_Bacher and @the_rock

Thanks for your reply. Final one.

For the NAT'd IP, there is a route configured on the Cisco router towards the next-hop i.e R1. It automatically generates a host route for the translated address in the routing table, ensuring correct return routing from the inside network.

Since CP doesn't route back based on the source NAT IP, I believe this can be ignored. Is my understanding correct?

R2# ip route 10.14.11.6 255.255.255.255 <R1 Next-Hop>

Re: Cisco Router NAT translations

the_rock — Mon, 02 Feb 2026 16:44:35 GMT

Thats right.

Re: Cisco Router NAT translations

the_rock — Mon, 02 Feb 2026 17:03:41 GMT

@SriNarasimha005

Ping me if u need remote, happy to go over things.

Re: Cisco Router NAT translations

SriNarasimha005 — Mon, 02 Feb 2026 17:06:40 GMT

Sure, will do. Thanks a lot mate😊🙏

Re: Cisco Router NAT translations

the_rock — Mon, 02 Feb 2026 17:22:53 GMT

Im always happy to try and help, no issue. I wish I were a Superman to fix anything and everything, but not possible lol