CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 1 of 1

Thread: Help me understand how NAT and VPN tunnels work with each other

  1. #1
    Join Date
    Rep Power

    Default Help me understand how NAT and VPN tunnels work with each other

    Here's our setup (IP addresses changed for clarity):

    SecureClient users' Office Mode address pool
    Central Office:
    Second office:

    Remote Access Domain on central office gateway includes and . IPsec tunnel exists between central office and second office and works fine.

    A hide NAT rule exists such that packets from 3.3.3.x to 5.5.5.x via the central office have their source IP address changed to .

    Now, the following DOES work:

    Users at 3.3.3.x can ping host . Sniffing the packets with "fw monitor" etc. shows the expected NAT taking place, and packets showing up where they should.

    But the following DOESN'T work:

    Add a NAT rule before the other one, such that packets from 3.3.3.x to host have their source address hidden behind, while the destination is static-NATted to . Now, tries to ping

    In this case, in fw monitor I see something like:

    (I) -> (post-inbound, destination NAT has already taken place, this is normal)
    (o) -> (pre-outbound, no source NAT yet, normal)
    (O) -> (post-outbound, this is NOT normal)

    I don't understand why I am seeing anything at the post-outbound stage. It should have been encapsulated in the tunnel by that point. That is what happens in the first case, the one that does work - I just see the packet at its post-inbound and pre-outbound stages, as it emerges from the SecureClient tunnel and before it goes into the site-to-site tunnel.

    So how come the gateway is not sending the packets down the site-to-site tunnel in the second case?
    Last edited by hammop1; 2008-04-24 at 11:16.

Similar Threads

  1. Please help me to understand UTM
    By rotherdrummer in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2009-10-16, 07:56
  2. A little error I don't understand !!!
    By ducnv in forum Authentication
    Replies: 2
    Last Post: 2009-04-06, 10:42
  3. Why So many tunnels?
    By menz456 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2008-06-20, 09:14
  4. 50 simultaneous tunnels?
    By sturgeonda in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2007-04-07, 21:25
  5. VPN tunnels
    By humayun in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2006-04-29, 14:23


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts