This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PIAndre
Explorer
‎2019-04-10 01:04 PM
Jump to solution

Nat rule over tunnel/community

Hi.  Im trying to redirect traffic going out a gateway.  I want to change the traffic flow from:

host_a (port 443) -> checkpoint_gateway -> internet -> public ip on host_b

to:

host_a (port 443) -> checkpoint_gateway -> nat from public ip on host_b to private ip on host_b -> s2s ipsec tunnel -> private ip on host_b

The tunnel works fine for normal traffic flow over the tunnel and all the security domains are defined properly.  There are rules in the policy that the traffic should hit to go over the tunnel.  When I try to create a nat rule to change the public ip to the private ip of host_b the traffic is allowed and I see the translation but It doesnt get encrypted.  Its also skipping my tunnel rule and hitting my default outbound rule at the bottom.  What am I missing in my nat rule to get this traffic flow working?

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-04-11 02:25 PM
In response to PIAndre
Jump to solution

There's an option to disable NAT in the VPN Community--see if that's set.

Screen Shot 2019-04-11 at 2.24.44 PM.png

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2019-04-10 02:00 PM
Jump to solution

Is the Public IP included in your encryption domain for the remote site?
0 Kudos
PIAndre
Explorer
‎2019-04-11 11:31 AM
In response to PhoneBoy
Jump to solution

I just tested with one host behind the gateway.  So the nat rule looks like this:

 

original source - test_host

original destination - public ip on host_b

original services - any

translated source - original

translated destination - private ip on host_b

translated services - original

install on - checkpoint_gateway

 

I see the traffic getting encrypted but the nat isnt getting applied.  Anything else im missing?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-11 02:25 PM
In response to PIAndre
Jump to solution

There's an option to disable NAT in the VPN Community--see if that's set.

Screen Shot 2019-04-11 at 2.24.44 PM.png

0 Kudos
PIAndre
Explorer
‎2019-04-11 03:37 PM
In response to PhoneBoy
Jump to solution

That did it. Had that box checked and unchecked it. Thanks.
0 Kudos
Anjan
Explorer
‎2025-07-10 01:16 AM
In response to PIAndre
Jump to solution

has the issue resolved after doing this changes?

0 Kudos
_Val_
Admin
Admin
‎2025-07-10 04:58 AM
In response to Anjan
Jump to solution

Yes, as it clearly indicated by the Solution marked on the recommendation.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-10 02:52 PM
Jump to solution

You need to make sure that the Public ip host_b and translated IP for Host_b is part of the remote VPN domain.
NAT finds place as one of the last parts in the outbound chain and this traffic should already be seen as traffic to send to the other side of the tunnel before that NAT takes place.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events