Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JoSec
Contributor

VPN Behind Router Using NAT

I have a situation where it would be easier if I can establish a Site to Site VPN from Checkpoint gateways (R80.40) behind an on-premise router doing NAT to two Availability Zones in AWS using a Palo Alto active passive cluster in each AZ functioning as active passive environments using BGP. My questions listed below.

1. Can I establish a site to site VPN behind the Router doing NAT? Is just as easy as changing the Link Selection to Statically Nated IP and using the public IP the router would use for NAT? If this is correct, any other configuration options.

2. If yes to above, any issue with doing this with Palo Alto gateways as the peer?

Thanks

6 Replies
G_W_Albrecht
Legend
Legend

1. Possible to be established using NAT-T (UDP 4500) from CP GW to peer or peer to CP (sk32664).

CCSE CCTE SMB Specialist
JoSec
Contributor

Therefore, following sk32664 would require no configuration change to the Link selection?

0 Kudos
G_W_Albrecht
Legend
Legend

You can try or ask TAC - i would assume no. This only concerns IKE proposals, so not so much difference to usual IKE.

CCSE CCTE SMB Specialist
0 Kudos
the_rock
Champion
Champion

I had done this before and you dont need to do anything with link selection.

Andy

JoSec
Contributor

Thanks for the responses. I'll be setting this up in the next few weeks and will update this thread.

the_rock
Champion
Champion

Definitely let us know the results mate.

Andy

0 Kudos