This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
adamec
Contributor
‎2023-11-14 07:46 AM

VPN node behind NAT

Hi guys,

I have a question about VPN ending behind NAT. We would like to use Route-based VPN. We have two remote sites each with its own management. On one site we have a CP appliance directly with its own public IP.

On the other side first there is edge router with its public IP lets say 1.2.3.4, this router is doing static NAT, behind this router there is a CP firewall which have IP statically NATed to lets say 10.10.10.10.

With route based VPN we created VTIs each with it's own IP attached to physical interface as stated in the documentation.

Route Based VPN (checkpoint.com)

"

You configure a local and remote IP address for each numbered VPN Tunnel Interface (VTI).

For each Security Gateway, you configure a local IP address, a remote address, and the local IP address source for outbound connections to the tunnel.

The remote IP address must be the local IP address on the remote peer Security Gateway.

More than one VTI can use the same IP Address, but they cannot use an existing physical interface IP address.

"

Now as the router is doing NAT to 10.10.10.10, how should I configure VPN on first site so it knows there is a NAT on remote  site and to send traffic via VPN tunnel to public IP 1.2.3.4 and then 2.2.3.4 if both interfaces are on same physical interface?

 

thanks

Preview file
21 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-11-14 04:32 PM

If the gateway is subject to NAT and initiating a VPN connection, Link Selection needs to be set to the correct IP.
See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Top... 

0 Kudos
adamec
Contributor
‎2023-11-15 12:31 AM
In response to PhoneBoy

Okay so In my case, based on the topology picture I attached to the post.

I should configure link selection on the GW that is not behind NAT, and I should put IP address of the NATed VTI to the field "statically NATed IP" or IP of physical interface or should I configure it on the device that is behind NAT?

thanks

image.png

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-15 06:51 AM
In response to adamec

This needs to be configured on the device behind NAT.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-11-15 07:33 AM
In response to PhoneBoy

Specifically, on the object for the device which is behind NAT. This configuration on the object tells the Check Point firewall which IP to use when trying to connect to that peer.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events