Re: NAT in a VPN tunnel

Romaryo

Hi everyone,

I have a question about NAT in a VPN tunnel. So far I don’t have any experience with this in a Check Point environment.

Current situation: There is already an existing VPN tunnel, and we want to make a server on our side available to the remote side, but have it hidden behind a different IP address using NAT.

How should the NAT rule be configured in Check Point for this? And what happens first: the decryption of the VPN traffic or the NAT processing?

Remote Server -> Remote GW — VPN Tunnel—> CP GW -> local Server

NAT Rule:

??

Thanks in advance!

best regards,

Roman

the_rock

Hey Roman,

Technically, decryption will happen first, then NAT, Make sure to enable nat inside vpn community if its needed. Rule itself may look like below:

Original packet:

Src: Remote network (or “Any” if you prefer)
Dst: NAT IP (the external-looking IP you want the remote side to hit)
Port: 443 (or any port)

Translated:

Translated Source: Original
Translated Destination: Real internal server IP
Translated Service: original (or mapped to 443 if different)

Example:

Original Src	Original Dst	Service	Xlated Src	Xlated Dst	Xlated Svc
Remote LAN	10.10.10.10 (NAT IP)	443	Original	192.168.50.20 (Real server)	443

Best,
Andy

Romaryo

Hi Andy!

Thank you for the very detailed reply! I’ll try to set it up and test it tomorrow.

best regards,

Roman

the_rock

Great! Message me directly if you are allowed to do remote, we can use zoom, I use my free account for that, since teams has lots of restrictions these days.

Best,
Andy

Romaryo

Hi Andy! Ok, thanks for your offer! We have a technical meeting with the application developers today – they need to explain to us in detail the technical requirements and what exactly they need from the tunnel. I’ll get back to you 🙂

best regards,

Roman

the_rock

Sounds good.

Best,
Andy

the_rock

In case debug is needed, below is easiest:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Look for iked* and vpnd* files in $FWDIR/log dir

Best,
Andy

Lesley

Extra tip for encryption domains, make sure you add real ip and nat ip that is assigned to your network in your local encryption domain. Add remote NAT ip range to remote peer encryption domain. (depends if remote peer also is natting)

what the the_rock states is true, other way around is first NAT then encryption (from local to remote peer)

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock

Yes sir! Definitely always a good idea to add natted IP in vpn domain as well.

Best,
Andy

Romaryo

Hi @Lesley Ok, this is roughly how I imagined it. I’m waiting for confirmation from the DevOps team and then I will test it. Many thanks for your tip.

best regards,

Roman

Are you a member of CheckMates?

NAT in a VPN tunnel

Original packet:

Translated:

Example: