Create a Post
Showing results for 
Search instead for 
Did you mean: 

CP1570 VPN S2S to Palo Alto - NAT translation


I have an S2S CP1570 and a Palo Alto connected via VPN.

The server behind Palo Alto is assigned the IP

The server (IP behind Palo Alto will only respond to a PING query as traffic from the CP1570 side will come from the network passing through the VPN tunnel.

How do I do a 1:1 NAT translation so that when I send a PING from the network it will be sent through the VPN tunnel as an IP from the network.

If this is not possible I will have to assign a static address from the network to the computer's network card

I am attaching an image with a block diagram.

CP1570 Firmware  R81.10.08 (996001683)


0 Kudos
1 Reply

I am not familiar with the model CP1570, but normally if using a domain/policy based VPN, you need to add the host/networks/ranges, etc.,. that you would want to participate in the VPN to the VPN domain object on the Checkpoint side and have the corresponding rule. No need to NAT unless there is a requirement to do so such as communicating to a public IP over a VPN or a conflict for overlapping IP Network. Also on the Palo side you will have to allow or a single IP/32 if that is all you need from that subnet, inbound and make any of other Palo config changes to allow the traffic. Now if you need to NAT for some other reason, you can NAT but will still have the network of individual IP from192.168.88.0/24 in the rule and the VPN domain object on the Checkpoint side.


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events