cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Best practive, NAT-T Device behind Check Point Appliance

Hello Checkmates,

maybe an eays question:

I have a customer with several Check Point 5200 on R80.10 Take 121.
in generall an easy standard setup.


but for remote access of some industrial systems the customer has several other Check Point appliance places behind the the firewalls on  the nternal networks.

then we discoverd that initiating an IPsec Tunnel (NAT-T) from inside to the external peer was not succesfull.
we did a NAT using the Main IP of the firewall object. ...
could this be a problem?
is it better to have ONE different NAT IP for all internal VPN appliances

or

should i use ONE dedicated IP for each VPN appliance?

i did the made a dediacated Hide NAT Rule for every single VPN appliance ... now iam waiting for results from the customer ...

in tcpdup i saw:

09:11:48.069849 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:48.070074 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:52.075466 IP 10.2.125.14.4500 > X:X:X.57.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
09:11:52.866336 IP 10.2.125.14.123 > X.X.X.76.123: NTPv3, Client, length 48
09:11:56.956663 IP 10.2.125.14.4500 > X:X:X.57.4500: UDP-encap: ESP(spi=0xcf615dfa,seq=0xac), length 148
09:12:08.086248 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
09:12:08.086481 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive

in SmartLog  i see a log IKE packets, sometimes some IKE_NAT_TRAVERAL.

so what would u suggest:
NAT with ONE outoging public IP for all appliances
ONE public NAT IP for each VPN appliance ...

so still the customer didnt told me if it works ... we will see.

best regards
Thomas.

0 Kudos
2 Replies
Admin
Admin

Re: Best practive, NAT-T Device behind Check Point Appliance

The whole purpose of NAT traversal is to work with HIDE NAT, so this should not be required.

What is performing the VPN in this case? (both endpoints)

0 Kudos

Re: Best practive, NAT-T Device behind Check Point Appliance

Hello, 

sorry for my late answer.

The problem has been solved ... it was not an Check Point issue, it was a misconfiguration of a third party VPN appliance ... 
but the IT company of this third party devices insisted until the very last minute that everything is ok on their end.
(they used IPsec in aggressive mode + psk instead of NAT-T with certificates) 
At the end it was the Check Point appliance worked like a charm.

best regards
Thomas.

0 Kudos