Create a Post
Showing results for 
Search instead for 
Did you mean: 

Best practive, NAT-T Device behind Check Point Appliance

Hello Checkmates,

maybe an eays question:

I have a customer with several Check Point 5200 on R80.10 Take 121.
in generall an easy standard setup.

but for remote access of some industrial systems the customer has several other Check Point appliance places behind the the firewalls on  the nternal networks.

then we discoverd that initiating an IPsec Tunnel (NAT-T) from inside to the external peer was not succesfull.
we did a NAT using the Main IP of the firewall object. ...
could this be a problem?
is it better to have ONE different NAT IP for all internal VPN appliances


should i use ONE dedicated IP for each VPN appliance?

i did the made a dediacated Hide NAT Rule for every single VPN appliance ... now iam waiting for results from the customer ...

in tcpdup i saw:

09:11:48.069849 IP > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:48.070074 IP > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:52.075466 IP > X:X:X.57.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
09:11:52.866336 IP > X.X.X.76.123: NTPv3, Client, length 48
09:11:56.956663 IP > X:X:X.57.4500: UDP-encap: ESP(spi=0xcf615dfa,seq=0xac), length 148
09:12:08.086248 IP > X:X:X.57.4500: isakmp-nat-keep-alive
09:12:08.086481 IP > X:X:X.57.4500: isakmp-nat-keep-alive

in SmartLog  i see a log IKE packets, sometimes some IKE_NAT_TRAVERAL.

so what would u suggest:
NAT with ONE outoging public IP for all appliances
ONE public NAT IP for each VPN appliance ...

so still the customer didnt told me if it works ... we will see.

best regards

0 Kudos
2 Replies

The whole purpose of NAT traversal is to work with HIDE NAT, so this should not be required.

What is performing the VPN in this case? (both endpoints)

0 Kudos


sorry for my late answer.

The problem has been solved ... it was not an Check Point issue, it was a misconfiguration of a third party VPN appliance ... 
but the IT company of this third party devices insisted until the very last minute that everything is ok on their end.
(they used IPsec in aggressive mode + psk instead of NAT-T with certificates) 
At the end it was the Check Point appliance worked like a charm.

best regards

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events