https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92462#M10079 <P>Hello Everyone,</P><P>I have a requirement to configure Remote Access VPN on a client’s firewall. Below is the setup details:</P><UL><LI>Gaia R80.40 ClusterXL Gateways</LI><LI>Gaia R80.40 Security Management Server</LI><LI>Firewall is behind the internet router and internet link is terminated on the internet router.</LI><LI>Checkpoint cluster and the internet router are connected through a private network. (I.e. cluster’s external interface has private IP addresses configured on it 10.10.10.x-VIP, 10.10.10.y-FW1 Physical-IP and 10.10.10.z-FW2 Physical&nbsp; IP).</LI><LI>There are multiple servers hosted behind this firewall cluster which are NATed on the firewall with public IP addresses. All these servers work properly.</LI><LI>All the users who access the internet, are NATed behind the firewall (hide NAT with public IP addresses). This access works properly as well.</LI></UL><P>Now my client needs to enable remote access VPN on this firewall.</P><P>My query is:</P><UL><LI>Where should the Public IP be NATed on which VPN connection will be established?</LI><LI>Will it work if I statically NAT my external virtual IP address with the VPN public IP address, on the Firewall Cluster itself?</LI><LI>Or it must be NATed on the internet router only?</LI></UL><P>Thank you.</P> Sat, 25 Jul 2020 22:42:11 GMT Abhas_Vijayvarg 2020-07-25T22:42:11Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92462#M10079 <P>Hello Everyone,</P><P>I have a requirement to configure Remote Access VPN on a client’s firewall. Below is the setup details:</P><UL><LI>Gaia R80.40 ClusterXL Gateways</LI><LI>Gaia R80.40 Security Management Server</LI><LI>Firewall is behind the internet router and internet link is terminated on the internet router.</LI><LI>Checkpoint cluster and the internet router are connected through a private network. (I.e. cluster’s external interface has private IP addresses configured on it 10.10.10.x-VIP, 10.10.10.y-FW1 Physical-IP and 10.10.10.z-FW2 Physical&nbsp; IP).</LI><LI>There are multiple servers hosted behind this firewall cluster which are NATed on the firewall with public IP addresses. All these servers work properly.</LI><LI>All the users who access the internet, are NATed behind the firewall (hide NAT with public IP addresses). This access works properly as well.</LI></UL><P>Now my client needs to enable remote access VPN on this firewall.</P><P>My query is:</P><UL><LI>Where should the Public IP be NATed on which VPN connection will be established?</LI><LI>Will it work if I statically NAT my external virtual IP address with the VPN public IP address, on the Firewall Cluster itself?</LI><LI>Or it must be NATed on the internet router only?</LI></UL><P>Thank you.</P> Sat, 25 Jul 2020 22:42:11 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92462#M10079 Abhas_Vijayvarg 2020-07-25T22:42:11Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92463#M10080 <P>Whatever NAT IP on the router routes to the VIP, you&nbsp;need to configure as the IP for Link Selection in the cluster object.<BR />That should allow VPN (either site-to-site or remote access) to work.</P> Sat, 25 Jul 2020 19:02:47 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92463#M10080 PhoneBoy 2020-07-25T19:02:47Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92466#M10081 <P>Hi Dameon,</P><P>Thank you for a quick response.</P><P>Is that the only way of achieving it? If NAT is not configurable on the router, can I do the NAT on the firewall cluster itself and achieve the same goal?</P><P>&nbsp;</P><P>Thanks.</P> Sat, 25 Jul 2020 22:41:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92466#M10081 Abhas_Vijayvarg 2020-07-25T22:41:03Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92667#M10082 <P>Connections will be initiated from the Internet to the gateway.<BR />Since the gateway has only a private IP, something upstream has to do NAT to ensure traffic is received by the gateway.<BR />If you can’t configure this, you might be able to reuse an existing public IP for this which is already routed through the gateway.<BR />Can’t say for sure that will work.</P> <P>Regardless, Link Selection is needed no matter what here since you’re not terminating the VPN on an interface IP.</P> Wed, 29 Jul 2020 00:06:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-NATed-IP-Address/m-p/92667#M10082 PhoneBoy 2020-07-29T00:06:43Z