Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN onf Firewall Behind NAT Router

Hello all, 

I am actually completely new to Checkpoint. I have done same thing on different vendors but first time tried to make on CP but failed. Unfortunately I cannot find enough resources for solving my problem that is why I write here.

We are building new branch office and installing gateway there. I want all traffic to be router to central office through VPN because for AWS resources I need to have Public IP connection from Central office. The problem is SP cannot install fiber optics in time and now we are using 4G router in front CP for couple weeks. So the connection is as below:

LAN-CP(15000S)-192.168.1.0/24-4G-Reserved Public IP.

Central Office side is completely okay and have already a lot VPN tunnel configured previous to me.

I am doing All TCP_UDP ports forwarded from 4G router to checkpoint external Private IP which is static.

What I need to enable beside basic Domain Based VPN configuration on Checkpoint Firewalls? Any help is appreciated.

How Can I enable NAT-T on both gateways for this connection?

What is "Hide this gateway behind another gateway" on Advanced->NAT section? Do i need to enable it?

Is putting Public IP of 4G router in Link selection enough?

0 Kudos
4 Replies
Pearl

@OrkhanRustamli , take a look at this thread that was discussing this same issue some time ago: https://community.checkpoint.com/t5/General-Topics/Gateway-behind-NAT-What-limitations-am-I-to-be-aw...

 

0 Kudos
Highlighted

Hello @Vladimir,

I have seen this document but it does not answer all my question. Have you been able to solve this problem in your scenario? If yes, amy you please share what you have accomplished? 

0 Kudos
Highlighted
Pearl

As far as I recall, this option should be enabled on the gateway you are working on :

"Hide this gateway behind another gateway" on Advanced->NAT

Have to take another look at the "Link selection" options.

Please specify the version you are running on both sides.

My lab is down at the moment, but I'll see if either I can spin it up to verify or poke someone in the forum to take a look at this question.

P.S. How is the gateway behind 4G router is managed? Does it have an independent management server, is it all-in-one, or are you planning to manage it from the main site via the VPN?

0 Kudos
Highlighted
Admin
Admin

What version are you using so we can point you at the right version of documentation?
In general, the gateway should figure out it is behind NAT and do NAT-T.
However, you will probably want to configure Link Selection to point to the public IP.
If you don't know what the public IP is (or can't rely on it to be static), then the VPN will only work with certificate-based authentication (and not pre-shared secret).

The "Hide this gateway behind another gateway" isn't relevant in this situation, I don't think.
0 Kudos