This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ks07
Participant
‎2024-05-21 11:10 AM

How to disable NAT-T for a specific VPN Tunnel

How to disable NAT-T for a specific VPN Tunnel

Good morning team, I need support because I want to disable NAT-T port 4500 for a specific VPN S2S, as I am having problems with this VPN that is Check point communication with Check point, but every so often we see interruptions and fall of the VPN, at the level of logs we have only found that they are negotiating through NAT-T port 4500 and not throught port 500 which is normal.

I have read a lot of documentation and checkmates but they all say the same thing:

1- NAT-T communication is usually initiated by the peer and checkpoint is only allowed to accept the traffic or not.
2- NAT-T can be disabled but it is a global configuration that can affect all VPN's.
3- NAT-T can be changed in the gateway but I understand that this still affects all VPNs connected to this gateway.

regards

2024-05-21_12h07_54.png

0 Kudos
6 Replies
JozkoMrkvicka
Authority
Authority
‎2024-05-21 02:20 PM

In every VPN community there is option to disable NAT for this community. Not sure if this is valid also for NAT-T traffic.

If you see issue with NAT-T, I would suggest to contact TAC and investigate it.

NAT-T is used because there is some NAT device in between 2 peers. In order to keep connection in NAT device connection table, Check Point firewall is using NAT-T as keepalive packets every 10 seconds (even if there is no interesting traffic).

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend
‎2024-05-21 03:30 PM

@JozkoMrkvicka described it perfectly.

Andy

Chris_Atkinson
Employee Employee
Employee
‎2024-05-21 03:32 PM

Are you seeing / experiencing this on R81.20 or some other version?

Are all gateways under the same management and what is the topology, is either gateway DAIP?

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2024-05-21 03:43 PM
In response to Chris_Atkinson

Great call about DAIP.

0 Kudos
SenpaiNoticed_U
Employee
Employee
‎2024-05-23 10:36 AM

NAT-T is normal for a Tunnel if the Gateway is hidden behind a Device that controls the Public IP address.

With Check Point, there is a Hash Value for NAT-T detection, and if this Hash returns different, then this is a indication that the Tunnel has been NATed behind some other device, thus causing the Tunnel to be made with NAT-T.

Thus if NAT-T is needed, then NAT-T should not be modified.

Also, make sure that the Interface you are using for a VPN Tunnel is defined as External interface.

If you are experiencing Outages,
Please enable VPN debugs and open a TAC case for further investigation.



Duane_Toler
Advisor
‎2024-05-23 10:54 AM

Check  SK177823 to see if that helps.  There was a change in a set of Jumbo HFAs a short time ago.

https://support.checkpoint.com/results/sk/sk177823

 

Edit:

Likewise SK32664 has some related info:

https://support.checkpoint.com/results/sk/sk32664

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top