Everything matches for each phase.

Well the tunnel was up and we were able to send traffic which is why we thought it was all set. It became a problem after the Phase 2 rekey which brought the tunnel down. I honestly don't know what to do because we only have 1 WAN IP and that is what the client has on their side. All of the domains they sent over are correct, I just don't know about my own encryption domain because I never setup S2S with WAN IPs in the encryption domain.

Can you provide some more information on this VPN?

Is the Cisco side hosting a service you are accessing? I assume they are not accessing resources on your end? I am asking since you are only proving the 1 IP address on your end.

So with these assumptions:

• NAT should be enabled for this tunnel.
• Some sort of HIDE NAT needs to be in place for your side. I am not quite sure how a locally managed 1500 handles this, but you might need to create a NAT rule for that. Here is an example:

• Manually configure a local encryption domain - I would do this for this specific tunnel. 
• In that group you want your local networks that you are hiding plus the public IP:
  • Example: 10.10.10.0/24, 192.168.0.0/23, and 3.3.3.4/32
• Tunnel sharing mode should be host to host.

That setup should initial traffic using the public IP address. I am a bit out of my wheelhouse for locally managed 1500 stuff, but the concepts are the same, I hope this helps.

No, they will be accessing resources on our end. I was just planning on tackling that after we get the  tunnel up. Will this NAT rule help establish the tunnel or is this just something to consider after the fact?

If you have any tips on any other way I should set this up that would be great. They have other available WAN IPs I just don't know how to utilize them in this case. The original setup was 3 different WAN IPs in our remote encryption domain on the client side but I didn't have access to the original firewall configuration so I kind of just removed those from the equation. 

Ah, alright, well them needing to access your resources changes things. NAT will need to be used in general because of the public IP requirement. You will need to provide STATIC NATs (1-to-1) for resources they need to access on your end. Hide NAT would be if you want like 50 different computers on your side to access 1 web server on their end.

Your NAT rules would look something like this:

You can get creative with how these are defined; this is just a simple example since I don't know the specifics of your VPN.

Lets say my WAN IP is 99.99.99.1 and I have two spare WAN IPs 99.99.99.2 and 99.99.99.3. How would I add those to my local encryption domain? Should I let checkpoint handle that automatically or define it in the manually defined encryption domains? My problem is that what if I need another tunnel where those IPs aren't needed in the encryption domain such as a site-to-site with a branch office that uses local ips in the encryption domain. Thanks for the help.

For this tunnel, you would want to define the local encryption domain manually. As long as those objects are only assigned to this Cisco VPN site, it should not have any effect on other tunnels using the automatic method.

Unfortunately on Locally Managed you don't have an option to select. It is either Global Manual or Automatic.. Also, our tunnel came up after figuring out checking off Permanent Tunnels was the issue. I don't like that I need to send a continuous ping to keep the tunnel up but it is better than what I was dealing with before.