This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Romaryo
Contributor
‎2025-11-16 08:40 AM

NAT in a VPN tunnel

Hi everyone,

I have a question about NAT in a VPN tunnel. So far I don’t have any experience with this in a Check Point environment.

Current situation: There is already an existing VPN tunnel, and we want to make a server on our side available to the remote side, but have it hidden behind a different IP address using NAT.

How should the NAT rule be configured in Check Point for this? And what happens first: the decryption of the VPN traffic or the NAT processing?

 

Remote Server -> Remote GW — VPN Tunnel—> CP GW -> local Server

 

NAT Rule:

src: any| dst: nat ip | dst Port | Transl src: orig | transl dst: IP local srv | transl dst Port : 443.

??

Thanks in advance!

best regards,

Roman

0 Kudos
9 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-11-16 09:02 AM

Hey Roman,

Technically, decryption will happen first, then NAT, Make sure to enable nat inside vpn community if its needed. Rule itself may look like below:

Original packet:

  • Src: Remote network (or “Any” if you prefer)

  • Dst: NAT IP (the external-looking IP you want the remote side to hit)

  • Port: 443 (or any port)

Translated:

  • Translated Source: Original

  • Translated Destination: Real internal server IP

  • Translated Service: original (or mapped to 443 if different)

Example:

Original Src Original Dst Service Xlated Src Xlated Dst Xlated Svc
Remote LAN 10.10.10.10 (NAT IP) 443 Original 192.168.50.20 (Real server) 443
Best,
Andy
Romaryo
Contributor
‎2025-11-16 10:22 AM
In response to the_rock

Hi Andy!

Thank you for the very detailed reply! I’ll try to set it up and test it tomorrow.

best regards,

Roman

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-16 10:37 AM
In response to Romaryo

Great! Message me directly if you are allowed to do remote, we can use zoom, I use my free account for that, since teams has lots of restrictions these days.

Best,
Andy
Romaryo
Contributor
‎2025-11-17 11:07 PM
In response to the_rock

Hi Andy! Ok, thanks for your offer! We have a technical meeting with the application developers today – they need to explain to us in detail the technical requirements and what exactly they need from the tunnel. I’ll get back to you 🙂

 

best regards,

Roman

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-18 03:27 AM
In response to Romaryo

Sounds good.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-18 06:02 PM
In response to Romaryo

In case debug is needed, below is easiest:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Look for iked* and vpnd* files in $FWDIR/log dir

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-11-18 12:48 PM

Extra tip for encryption domains, make sure you add real ip and nat ip that is assigned to your network in your local encryption domain. Add remote NAT ip range to remote peer encryption domain. (depends if remote peer also is natting)

what the the_rock states is true, other way around is first NAT then encryption (from local to remote peer)

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Platinum
MVP Platinum
‎2025-11-18 02:04 PM
In response to Lesley

Yes sir! Definitely always a good idea to add natted IP in vpn domain as well.

Best,
Andy
0 Kudos
Romaryo
Contributor
‎2025-11-18 09:37 PM
In response to Lesley

Hi @Lesley  Ok, this is roughly how I imagined it. I’m waiting for confirmation from the DevOps team and then I will test it. Many thanks for your tip.

 

best regards,

Roman

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events