This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ANANTADSULE
Contributor
‎2026-02-02 11:02 PM
Jump to solution

MPLS to IPSEC VPN NATTED TRAFFIC FLOW

Dear All,

Please help in below scenario.

Vendor1
Vendor1 Node IP-11.246.0.202
Router MPLS WAN IP - 11.139.3.102
MPLS Gateway-11.139.3.101

Vendor1 Connected to Checkpoint Quantam Spark 1550 only through MPLS link

Quantam Spark 1550
MPLS WAN IP-11.139.3.218
MPLS Gateway -11.139.3.217
LAN-10.10.10.0/24
Local encryption Domain
10.10.10.0/24
WAN IP-1.1.1.1

Remote encryption Domain
172.116.0.0/24
WAN IP-2.2.2.2

Checkpoint Quantam Spark 1550 connected through IPsec VPN only to Vendor2 using PFsense community UTM

Vendor2
Vendor2 Node IP-172.116.0.206
LAN-172.116.0.0/24
WAN IP-2.2.2.2

Remote encryption Domain
10.10.10.0/24
WAN IP-1.1.1.1

Vendor1 needs to connect Vendor2 node 172.116.0.206 using NATTED IP 11.4.101.250

Preview file
51 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2026-02-05 09:03 AM
In response to ANANTADSULE
Jump to solution

The gateway will only encrypt traffic from a given source if it is listed in the Encryption Domain.
Sounds like you haven't added 11.246.0.202 to the Encryption Domain on the 1550.
This will likely require configuration changes on the other end unless you also NAT the source IP to something within the existing Encryption Domain.

View solution in original post

(1)
7 Replies
PhoneBoy
Admin
Admin
‎2026-02-03 11:04 AM
Jump to solution

As far as I know, you should be able to create a regular NAT rule to achieve this (under Access Policy > Firewall > NAT).

0 Kudos
ANANTADSULE
Contributor
‎2026-02-03 10:09 PM
In response to PhoneBoy
Jump to solution

NAT rule is defined

Original Source -11.246.0.202 Original Destination(NATTED IP)-11.4.101.250 Service-9891 Translated Source-Original Translated Destination-172.116.0.206 and reverse NAT

Vendor 1 trying to initiate the traffic,but no logs found on Checkpoint and traceroute reached till Checkpoint MPLS WAN IP--11.139.3.218 only.

0 Kudos
PhoneBoy
Admin
Admin
‎2026-02-04 07:13 AM
In response to ANANTADSULE
Jump to solution

Vendor 1 is only connected via an MPLS link (no VPN), correct?
Their IP address(es) will have to be included in the encryption domain on the 1550, otherwise it will not put the traffic through the VPN at all.
The PFsense configuration will likely also need adjusting.

0 Kudos
ANANTADSULE
Contributor
‎2026-02-03 11:32 PM
In response to PhoneBoy
Jump to solution

Traffic silently droped

Packet captured below 

IP 11.246.0.202.29787 > 11.4.101.250.9851: tcp 0

0 Kudos
ANANTADSULE
Contributor
‎2026-02-05 02:12 AM
In response to PhoneBoy
Jump to solution

Translation is happening now,but actual traffic is not passing to Vendor2

0 Kudos
PhoneBoy
Admin
Admin
‎2026-02-05 09:03 AM
In response to ANANTADSULE
Jump to solution

The gateway will only encrypt traffic from a given source if it is listed in the Encryption Domain.
Sounds like you haven't added 11.246.0.202 to the Encryption Domain on the 1550.
This will likely require configuration changes on the other end unless you also NAT the source IP to something within the existing Encryption Domain.

(1)
ANANTADSULE
Contributor
4 weeks ago
In response to PhoneBoy
Jump to solution

It worked👍

Thank you 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events