This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-09-08 04:38 PM
Jump to solution

Disable NAT-T in Checkpoint GW.

Hello,

Is NAT-T enabled by default on Checkpoint equipment?

We have a GW, where we have created multiple VPNs with other clients, but specifically, with 1 client (Cisco ASA), we are having communication problems and according to the tests that the endpoint performs, suggests us to "disable" the NAT-T, but this option of disabling the NAT-T in the GW, affects in general to all the VPNs that you have created, right?

Could someone please confirm this for me.

Greetings.

0 Kudos
42 Replies
the_rock
Legend
Legend
‎2023-09-11 04:15 PM
In response to Matlu
Jump to solution

Ikev2 is way better and more secure, but give it a try.

0 Kudos
Zolocofxp
Collaborator
‎2023-09-11 04:35 PM
In response to Matlu
Jump to solution

IKEv1 will be a lot easier to debug. You will have to open legacy_ike.elg in IKEView.

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 04:40 PM
In response to Zolocofxp
Jump to solution

I believe process is the same for ikev2 as well, at least based on TAC cases I had in the past.

Andy

0 Kudos
Matlu
Advisor
‎2023-09-11 05:02 PM
In response to Zolocofxp
Jump to solution

We found the error, and fixed it.

It's weird, but we'd better not even touch it, hahaha.

It turns out, we touched the configuration of the

"VPN TUNNEL SHARING"

Select the option: "One VPN Tunnel per each pair of hosts" .... Once this option was selected, it started to work.

VPN1.png

Checkpoint really surprises me 🤣😲

We were seeing the traffic coming out of the encrypted firewall, and everything was fine for us, but the Cisco ASA was not seeing the traffic coming to their equipment, and we had to move to that option, once we did that, it started to work normally.

I really don't understand why, but at least it is working. 🙃

the_rock
Legend
Legend
‎2023-09-11 05:26 PM
In response to Matlu
Jump to solution

Dont touch it bro, let it be 🙂

GOOD JOB! 👍👍

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 05:28 PM
In response to Matlu
Jump to solution

Btw, just a comment, keep in mind, this is not necessarily CP issue, I had seen this being needed because of Cisco in the past.

Regardless, now you know to try those options if you ever have this problem in the future 😉

Andy

0 Kudos
Matlu
Advisor
‎2023-09-11 05:32 PM
In response to the_rock
Jump to solution

Yes, I think so.

Although I still believe as you do, that the best option, when you have a mix on both sides of the VPN of segments and hosts, the best is to use the "... per Gateway pair", but today, it didn't feel like working well, HAHAHAHA.

It is useful for the notes. 😂🤣

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 05:34 PM
In response to Matlu
Jump to solution

I hear ya bro :). Trust me, even with lots of other vendors, sometimes, the most logical option is NOT the one that works haha

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 04:14 PM
In response to Matlu
Jump to solution

You can review both actually...vpn debug trunc command "resets" those files anyway.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-11 11:26 AM
In response to Matlu
Jump to solution

You are correct that, in releases prior to R80.10, that Check Point gateways will never initiate NAT-T (except SMB gateways that always have).

0 Kudos
Matlu
Advisor
‎2023-09-11 11:51 AM
In response to PhoneBoy
Jump to solution

So, nowadays, in version from R80.20 onwards, the GW Checkpoint, have the ability to "INITIATE" the communication on the NAT-T?

What is the default behavior of a GW with NAT-T enabled?
Is it in listening mode, or can it be the one that initiates this traffic?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-11 03:39 PM
In response to Matlu
Jump to solution

Yes, Check Point gateways can initiate NAT-T from R80.10 and above.
The option should be enabled by default.

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 11:52 AM
In response to Matlu
Jump to solution

Did you confirm nat option inside vpn community?

Andy

 

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top