maybe an eays question:
I have a customer with several Check Point 5200 on R80.10 Take 121.
in generall an easy standard setup.
but for remote access of some industrial systems the customer has several other Check Point appliance places behind the the firewalls on the nternal networks.
then we discoverd that initiating an IPsec Tunnel (NAT-T) from inside to the external peer was not succesfull.
we did a NAT using the Main IP of the firewall object. ...
could this be a problem?
is it better to have ONE different NAT IP for all internal VPN appliances
should i use ONE dedicated IP for each VPN appliance?
i did the made a dediacated Hide NAT Rule for every single VPN appliance ... now iam waiting for results from the customer ...
in tcpdup i saw:
09:11:48.069849 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:48.070074 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
09:11:52.075466 IP 10.2.125.14.4500 > X:X:X.57.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
09:11:52.866336 IP 10.2.125.14.123 > X.X.X.76.123: NTPv3, Client, length 48
09:11:56.956663 IP 10.2.125.14.4500 > X:X:X.57.4500: UDP-encap: ESP(spi=0xcf615dfa,seq=0xac), length 148
09:12:08.086248 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
09:12:08.086481 IP 10.2.125.14.4500 > X:X:X.57.4500: isakmp-nat-keep-alive
in SmartLog i see a log IKE packets, sometimes some IKE_NAT_TRAVERAL.
so what would u suggest:
NAT with ONE outoging public IP for all appliances
ONE public NAT IP for each VPN appliance ...
so still the customer didnt told me if it works ... we will see.