This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hcampuzano
Participant
‎2024-04-04 12:19 PM
Jump to solution

Disable NAT-T for a single Site to Site VPN.

Hello, I need to disable NAT-T for a single S2S VPN, because if I disable it on the gateway object, the mobile blade does not work and remote users are affected. That means:

NAT-T enabled: Remote Users OK. - S2S VPN fails.

NAT-T disabled: Remote Users fail. - S2S VPN OK.

The VPN community settings does not allow to disable it for that particular community.

Is there something I'm missing? Thanks for the help.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-04 02:17 PM
Jump to solution

You can't modify how NAT-T behaves at the VPN Community level, but you can do it at the object level and all this would apply for your gateways, externally managed gateways, and interoperable devices.  So what you could try is modifying these GUIdbedit properties on the object representing the peer gateway on the other side of the tunnel, or you may be able to adjust these on your own gateway object without breaking RAS VPN, the last one in the list in particular.   The default values for R81.20 are shown:

  • force_nat_t  boolean  false  "force the GW to use NAT traversal (port 4500)"
  • ike_support_nat_t  boolean  true "Support NAT Traversal (port 4500)"
  • offer_nat_t_initiator   boolean  false  "Send NAT-T VID (for Initiator GW)
  • offer_nat_t_responder_for_known_gw   boolean  true  "Accept NAT_T connections from known GWs and send NAT-T vendor id (for Responder GW)"
Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

3 Replies
Lesley
MVP Gold
MVP Gold
‎2024-04-04 01:35 PM
Jump to solution

Drop UDP 4500 from the other peer IP. Only allow ESP and ike500.

NAT-t is most of the time started by the other side. In older versions Check Point only accepts and do not send.

Newer version depends on config (is global setting)

You can only as far as I know disable it on global level. 

 

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-04-16 01:37 AM
In response to Lesley
Jump to solution

I think is allowed by implicit rules... if so, fw accel dos rule is needed, or also a fake nat rule it should work

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-04 02:17 PM
Jump to solution

You can't modify how NAT-T behaves at the VPN Community level, but you can do it at the object level and all this would apply for your gateways, externally managed gateways, and interoperable devices.  So what you could try is modifying these GUIdbedit properties on the object representing the peer gateway on the other side of the tunnel, or you may be able to adjust these on your own gateway object without breaking RAS VPN, the last one in the list in particular.   The default values for R81.20 are shown:

  • force_nat_t  boolean  false  "force the GW to use NAT traversal (port 4500)"
  • ike_support_nat_t  boolean  true "Support NAT Traversal (port 4500)"
  • offer_nat_t_initiator   boolean  false  "Send NAT-T VID (for Initiator GW)
  • offer_nat_t_responder_for_known_gw   boolean  true  "Accept NAT_T connections from known GWs and send NAT-T vendor id (for Responder GW)"
Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events