https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22997#M940 <HTML><HEAD></HEAD><BODY><P>My environment is like the SK 101469 but the 1430 is Centrally Managed...</P></BODY></HTML> Thu, 10 Jan 2019 09:20:29 GMT Luigi_Vezzoso1 2019-01-10T09:20:29Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22994#M937 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>do you know how centrally managed the CP1430 behind a NAT router?&nbsp; I have nat-ed all the required ports from the Router Public IP to the Firewall. We have some isue on the VPN establishing (invalid ID Identifier).</P><P></P><P>How I should configure the gateway on the SMS?</P><P></P><P>172.16.0.1/24 -&gt; CheckpointGateway -&gt; 192.168.1.1/24 -&gt; Router -&gt;PublicIP ---&gt; CheckPointGateway ---&gt; SMS</P><P></P><P>I hope is clear.... I can establish a SIC and push policy correcly. I also receve the log on the SMS</P><P></P><P>Luigi</P></BODY></HTML> Wed, 09 Jan 2019 17:04:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22994#M937 Luigi_Vezzoso1 2019-01-09T17:04:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22995#M938 <HTML><HEAD></HEAD><BODY><P>The gateway object IP on the SMS would be the public IP.</P><P>You said you configured NAT for the required ports--which ones specifically?</P><P>Also, when you try to either push policy, fetch policy, etc, what specific behavior do you see?</P><P>Error messages? Screen shots? Other information?</P></BODY></HTML> Wed, 09 Jan 2019 21:44:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22995#M938 PhoneBoy 2019-01-09T21:44:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22996#M939 <HTML><HEAD></HEAD><BODY><P>If you have SIC and policy installs, you probably&nbsp;got it right.</P><P></P><P>VPN might require some further configuration to work.</P><P></P><P>NAT might be causing divergence between the IP address the CP1400 knows and what the peer knows. Check&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101469">sk101469</A>.&nbsp;</P><P></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk36425&amp;partition=General&amp;product=IPSec">sk36425 </A>explains a similar issue, but caused by ISP redundancy.</P></BODY></HTML> Thu, 10 Jan 2019 03:23:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22996#M939 Pedro_Espindola 2019-01-10T03:23:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22997#M940 <HTML><HEAD></HEAD><BODY><P>My environment is like the SK 101469 but the 1430 is Centrally Managed...</P></BODY></HTML> Thu, 10 Jan 2019 09:20:29 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22997#M940 Luigi_Vezzoso1 2019-01-10T09:20:29Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22998#M941 <HTML><HEAD></HEAD><BODY><P>I assume you want a VPN to 3rd party VPN as explained here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec">sk108600: <STRONG>VPN</STRONG> Site-to-Site with 3rd party</A>&nbsp;- maybe you should set the&nbsp;ID Type not to IP address but something else...</P></BODY></HTML> Thu, 10 Jan 2019 11:23:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22998#M941 G_W_Albrecht 2019-01-10T11:23:53Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22999#M942 <HTML><HEAD></HEAD><BODY><P>Nope, the both side are checkpoint gateways centrally managed</P></BODY></HTML> Thu, 10 Jan 2019 11:25:55 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/22999#M942 Luigi_Vezzoso1 2019-01-10T11:25:55Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/23000#M943 <HTML><HEAD></HEAD><BODY><P>Please read&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec" rel="nofollow" style="color: #e45785; background-color: #ffffff; border: 0px; text-decoration: underline; padding: 0px calc(12px + 0.35ex) 0px 0px;">sk108600</A>&nbsp;-&nbsp;<SPAN style="color: #333333; background-color: #ffffff;">maybe you should set the&nbsp;ID Type not to IP address but something else as i think it does send a wrong IP address... But you can analyze that using VPN Debug!</SPAN></P></BODY></HTML> Thu, 10 Jan 2019 11:30:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/23000#M943 G_W_Albrecht 2019-01-10T11:30:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/162920#M7820 <P>I have a similar setup but it fails on the SIC allready. In the SIC I see the LAN side IP adres in reverse notation and the match can't be made.</P> <P>The hostname equals the object name in the policy for the Central firewall.</P> <P><SPAN>(SecurityPeer sent wrong DN: 1.255.168.192** Reset SIC from peer, and establish trust again. **)</SPAN></P> Wed, 23 Nov 2022 12:17:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Definition-of-remote-Gateway-behind-NAT/m-p/162920#M7820 Hugo_vd_Kooij 2022-11-23T12:17:53Z