Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JoSec
Collaborator

VPN Behind Router Using NAT

I have a situation where it would be easier if I can establish a Site to Site VPN from Checkpoint gateways (R80.40) behind an on-premise router doing NAT to two Availability Zones in AWS using a Palo Alto active passive cluster in each AZ functioning as active passive environments using BGP. My questions listed below.

1. Can I establish a site to site VPN behind the Router doing NAT? Is just as easy as changing the Link Selection to Statically Nated IP and using the public IP the router would use for NAT? If this is correct, any other configuration options.

2. If yes to above, any issue with doing this with Palo Alto gateways as the peer?

Thanks

6 Replies
G_W_Albrecht
Legend Legend
Legend

1. Possible to be established using NAT-T (UDP 4500) from CP GW to peer or peer to CP (sk32664).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JoSec
Collaborator

Therefore, following sk32664 would require no configuration change to the Link selection?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You can try or ask TAC - i would assume no. This only concerns IKE proposals, so not so much difference to usual IKE.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

I had done this before and you dont need to do anything with link selection.

Andy

JoSec
Collaborator

Thanks for the responses. I'll be setting this up in the next few weeks and will update this thread.

the_rock
Legend
Legend

Definitely let us know the results mate.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events