https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246276#M1133 <P>Hello everyone!</P><P>In the scenario where we have SASE using the Wireguard connector, we have observed that the connection IP for accessing applications is not from the SASE client but from the connect, that is, the connection is NATed. The question is, how can we make the user connection arrive with the connection IP in the application? Reason: in this scenario, security control in the applications is done by connection IP.</P><P>Below is the current scenario.</P><P>SASE client network: 10.17.4.0/22<BR />On-premise client network: 10.0.250.0/23, 172.16.0.0/12 and 192.168.0.0/16</P><P>In the scenario where I use the IPSec VPN connector, would it be possible to meet this requirement?</P><P>&nbsp;</P><P>Thank you!</P> Fri, 11 Apr 2025 18:49:43 GMT eltonsimoes 2025-04-11T18:49:43Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246276#M1133 <P>Hello everyone!</P><P>In the scenario where we have SASE using the Wireguard connector, we have observed that the connection IP for accessing applications is not from the SASE client but from the connect, that is, the connection is NATed. The question is, how can we make the user connection arrive with the connection IP in the application? Reason: in this scenario, security control in the applications is done by connection IP.</P><P>Below is the current scenario.</P><P>SASE client network: 10.17.4.0/22<BR />On-premise client network: 10.0.250.0/23, 172.16.0.0/12 and 192.168.0.0/16</P><P>In the scenario where I use the IPSec VPN connector, would it be possible to meet this requirement?</P><P>&nbsp;</P><P>Thank you!</P> Fri, 11 Apr 2025 18:49:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246276#M1133 eltonsimoes 2025-04-11T18:49:43Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246432#M1134 <P>I believe this is expected behavior when using the Wireguard connector.<BR />IPsec should work better in this regard.</P> Mon, 14 Apr 2025 17:50:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246432#M1134 PhoneBoy 2025-04-14T17:50:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246450#M1135 <P>Yep, as phoneboy said, you're seeing the expected result.&nbsp; We tried that method and found it to be untenable, so we just added ipsec tunnels to all on-prem gateway and now the actual client IP is exposed to the onprem app.&nbsp; hth</P> Mon, 14 Apr 2025 19:38:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SASE-connection-NATed/m-p/246450#M1135 D_TK 2025-04-14T19:38:30Z