Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN Source NAT subnet and actual in same Encryption domain

Hi Checkmates! 

I have a question regarding VPN. On a VSX platform in a single domain on a single Virtual System I am trying to establish a VPN, where we are source NAT'ing in our end and they are aswell.

I can establish Phase 1 and 2 without issues and I can tell that the VPN is establishing with the correct NAT'ed subnet, yet we're not able to send traffic through. 

Does this cause an issue if we have both the actual subnet and NAT'ed subnet in the VPN domain manually defined on the VS?

kind regards

hope you can help. 

3 Replies
Employee Employee

What do logs say? Drop on last rule or something else? How is your rule set up?

0 Kudos

Do you have two manual NAT rules created for egress and ingress of the traffic coming from or destined to the VPN peer?

0 Kudos


Yes we have two manual NAT's for both egress and ingress.

Yesterday in the maintenance window we got the VPN up and running, we didn't do any changes, the issue was the ruleset in the other end. 

The logs translated correctly as intended. 

I was just curious towards the design of the Checkpoint whether it might cause an issue having both the actual and NAT'ed subnet in the encryption domain.

Thank you both for your replies Smiley Happy 


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events