Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
11130
Views
0
Helpful
0
Comments

NAT-T support on the Checkpoint Firewall

TCC_2
Level 10
Level 10

‎06-22-2009 05:10 PM - edited ‎03-08-2019 06:23 PM

What is NAT-T?

Any incoming packets (which come directly from unsolicited sources) would be blocked by such a NAT appliance, as the internal PC’s and IP phone extensions are non-routable from the public network. But most of the incoming calls in IP Telephony (SIP, MGCP) and Video Conferencing applications (H.323) come directly from external sources. Also complicating the whole thing is the behaviour of some firewalls: Some firewalls block traffic based on the direction of their flow. They do not allow packets from outside the network to come inside, without any of the internal systems requesting for the same. But the very idea of IP telephony is to allow anyone from outside to call anyone inside the network. So, in such cases NAT/Firewall traversal is required selectively.


Resolution

NAT-T (Network Address Translation [NAT] Traversal) does not work with Checkpoint firewalls. NAT-T is not Cisco proprietary (RFC 3947)

IPSec NAT Transparency delivers these benefits:

  • Simplified deployment eliminates the need to know that NAT and Port Address Translation (PAT) devices exist between the two IPSec endpoints.  
  • IPSec NAT-T enables a complete IPSec VPN solution. NAT and PAT devices are now effectively transparent. All IPSec VPN features are available to the customer during the design and deployment of an IPSec VPN solution.      

For information on how to use NAT-T on the Cisco VPN 3000 Concentrator, refer to the IPSec NAT-T section of Tunneling Protocols\r\n.

For documentiation on how to configure NAT-T on the PIX Firewall, refer to the Using NAT Traversal section of Configuring IPSec and Certification Authorities.

For documentation about NAT-T on Cisco IOS  routers, refer to IPSec NAT Transparency.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents