This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
asaivephac
Explorer
‎2025-01-17 05:51 AM

NAT on gateway itself for IKE traffic

Hi,

We have a new service provider that we're connected to and their GW is 172.16.0.1/29, on their end they forward all the public network traffic (/28) to the Checkpoint VIP(172.16.0.2/29) and we perform all NAT on our end.

We have hide behind NAT configured on our network objects and that's all working great but the IKE traffic is generated by the gateway itself so it's not getting NAT translation so the provider sees the VIP address and can't route it.

Is there a way to NAT the Gateway itself so IKE appears as a NAT address instead of the 172.16.0.2/29 private interface VIP?

Any thoughts how this can be accomplished?

 

 

Labels
0 Kudos
2 Replies
AlekzNet
Contributor
‎2025-01-17 06:33 AM

Which device has a public IP-address?

NAT-T should take care of IKE with NAT.

0 Kudos
asaivephac
Explorer
‎2025-01-17 06:46 AM
In response to AlekzNet

The provider FW has public IP-address and has a rule to forward everything to our VIP and we manage our own NAT translation.

If I were to put a manual NAT-t entry for (CP VIP) 172.16.10.2 > NAT, would the ipsec tunnel use the nat address? I'm not sure if Nat-T is before or after VPN.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top