Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ipsec Tunnel through Checkpoint FW-1


We are trying to establish an ipsec tunnel between vpn 3000 and it's client which is behind a checkpoint. Checkpoint is making port address translation. Ipsec through nat is configured on the concentrator( udp port 10000). Though we configured to permit the firewall to pass any to any traffic we could not establish the connection. Does anyone have experience tunneling ipsec traffic through FW-1?

(I personally have configured and seen 2 clients (behind a cisco router making pat)that have established ipsec tunnels at the same time with the concentrator , so i don't think that the point is pat on the checkpoint)

i would appreciate any help, thanks.

New Member

Re: Ipsec Tunnel through Checkpoint FW-1

IPSec doesn’t work with PAT or NAT overload (Cisco, Checkpoint or any other product). You must have one-to-one translations.

New Member

Re: Ipsec Tunnel through Checkpoint FW-1

Actually it worked! we could establish ipsec tunnels with more than 1 clients behind the checkpoint. I don't know what your reference point is in saying that it does not work, but actually what NAT transparency does is this. It uses UDP to transport ESP packets(prot 50) so that the box which makes nat or pat makes a translation and the box at the other end of the tunnel(conc. 3005 in our case) can take the packets sent to it's udp port. Ýf Nat Transparency was not used it would drop the packet which was targeted to one of it's ports which it normally filters.

The reason for it's not working at the beginning was a misunderstanding because i was not the one conf. checkpoint.

CreatePlease to create content