This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Romaryo
Collaborator
‎2025-11-16 08:40 AM
Jump to solution

NAT in a VPN tunnel

Hi everyone,

I have a question about NAT in a VPN tunnel. So far I don’t have any experience with this in a Check Point environment.

Current situation: There is already an existing VPN tunnel, and we want to make a server on our side available to the remote side, but have it hidden behind a different IP address using NAT.

How should the NAT rule be configured in Check Point for this? And what happens first: the decryption of the VPN traffic or the NAT processing?

 

Remote Server -> Remote GW — VPN Tunnel—> CP GW -> local Server

 

NAT Rule:

src: any| dst: nat ip | dst Port | Transl src: orig | transl dst: IP local srv | transl dst Port : 443.

??

Thanks in advance!

best regards,

Roman

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2025-11-16 09:02 AM
Jump to solution

Hey Roman,

Technically, decryption will happen first, then NAT, Make sure to enable nat inside vpn community if its needed. Rule itself may look like below:

Original packet:

  • Src: Remote network (or “Any” if you prefer)

  • Dst: NAT IP (the external-looking IP you want the remote side to hit)

  • Port: 443 (or any port)

Translated:

  • Translated Source: Original

  • Translated Destination: Real internal server IP

  • Translated Service: original (or mapped to 443 if different)

Example:

Original Src Original Dst Service Xlated Src Xlated Dst Xlated Svc
Remote LAN 10.10.10.10 (NAT IP) 443 Original 192.168.50.20 (Real server) 443
Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

(1)
11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-11-16 09:02 AM
Jump to solution

Hey Roman,

Technically, decryption will happen first, then NAT, Make sure to enable nat inside vpn community if its needed. Rule itself may look like below:

Original packet:

  • Src: Remote network (or “Any” if you prefer)

  • Dst: NAT IP (the external-looking IP you want the remote side to hit)

  • Port: 443 (or any port)

Translated:

  • Translated Source: Original

  • Translated Destination: Real internal server IP

  • Translated Service: original (or mapped to 443 if different)

Example:

Original Src Original Dst Service Xlated Src Xlated Dst Xlated Svc
Remote LAN 10.10.10.10 (NAT IP) 443 Original 192.168.50.20 (Real server) 443
Best,
Andy
"Have a great day and if its not, change it"
(1)
Romaryo
Collaborator
‎2025-11-16 10:22 AM
In response to the_rock
Jump to solution

Hi Andy!

Thank you for the very detailed reply! I’ll try to set it up and test it tomorrow.

best regards,

Roman

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-16 10:37 AM
In response to Romaryo
Jump to solution

Great! Message me directly if you are allowed to do remote, we can use zoom, I use my free account for that, since teams has lots of restrictions these days.

Best,
Andy
"Have a great day and if its not, change it"
Romaryo
Collaborator
‎2025-11-17 11:07 PM
In response to the_rock
Jump to solution

Hi Andy! Ok, thanks for your offer! We have a technical meeting with the application developers today – they need to explain to us in detail the technical requirements and what exactly they need from the tunnel. I’ll get back to you 🙂

 

best regards,

Roman

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 03:27 AM
In response to Romaryo
Jump to solution

Sounds good.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 06:02 PM
In response to Romaryo
Jump to solution

In case debug is needed, below is easiest:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Look for iked* and vpnd* files in $FWDIR/log dir

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-11-18 12:48 PM
Jump to solution

Extra tip for encryption domains, make sure you add real ip and nat ip that is assigned to your network in your local encryption domain. Add remote NAT ip range to remote peer encryption domain. (depends if remote peer also is natting)

what the the_rock states is true, other way around is first NAT then encryption (from local to remote peer)

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 02:04 PM
In response to Lesley
Jump to solution

Yes sir! Definitely always a good idea to add natted IP in vpn domain as well.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-11-18 09:37 PM
In response to Lesley
Jump to solution

Hi @Lesley  Ok, this is roughly how I imagined it. I’m waiting for confirmation from the DevOps team and then I will test it. Many thanks for your tip.

 

best regards,

Roman

Romaryo
Collaborator
‎2026-01-14 01:27 AM
In response to Romaryo
Jump to solution

Hi!
Thank you very much for your support!
Our application developers have finally tested the tunnel.
Everything worked well, and I learned something new.
Thanks!

the_rock
MVP Diamond
MVP Diamond
‎2026-01-14 04:02 AM
In response to Romaryo
Jump to solution

Glad you got it working.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events