AnsweredAssumed Answered

Best practive, NAT-T Device behind Check Point Appliance

Question asked by Thomas Eichelburg on Dec 19, 2018
Latest reply on Dec 19, 2018 by Dameon Welch-Abernathy

Hello Checkmates,

maybe an eays question:


I have a customer with several Check Point 5200 on R80.10 Take 121.
in generall an easy standard setup.

but for remote access of some industrial systems the customer has several other Check Point appliance places behind the the firewalls on  the nternal networks.


then we discoverd that initiating an IPsec Tunnel (NAT-T) from inside to the external peer was not succesfull.
we did a NAT using the Main IP of the firewall object. ...
could this be a problem?
is it better to have ONE different NAT IP for all internal VPN appliances


should i use ONE dedicated IP for each VPN appliance?


i did the made a dediacated Hide NAT Rule for every single VPN appliance ... now iam waiting for results from the customer ...


in tcpdup i saw:



09:11:48.069849 IP > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:48.070074 IP > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:52.075466 IP > X:X:X.57.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
09:11:52.866336 IP > X.X.X.76.123: NTPv3, Client, length 48
09:11:56.956663 IP > X:X:X.57.4500: UDP-encap: ESP(spi=0xcf615dfa,seq=0xac), length 148
09:12:08.086248 IP > X:X:X.57.4500: isakmp-nat-keep-alive
09:12:08.086481 IP > X:X:X.57.4500: isakmp-nat-keep-alive


in SmartLog  i see a log IKE packets, sometimes some IKE_NAT_TRAVERAL.

so what would u suggest:
NAT with ONE outoging public IP for all appliances
ONE public NAT IP for each VPN appliance ...

so still the customer didnt told me if it works ... we will see.


best regards