Worksite MP and NAT/PAT

I am trying to help troubleshoot a client coming through their corporate FW (checkpoint) across a VPN into our datacenter accessing their MP server. I can see packets going back from our FW to their NAT IP, but I do not seem to get any replies.

Does this stuff work through NAT and/or PAT?

Anyone have any suggestions for the checkpoint FW config? On my side, there is a PIX, but there is a rule allowing all TCP and UDP traffic from/to the corporate site.

TIA - Scott

Find more posts tagged with

Comments

dbguy

I do not know what PAT is, but the MP Server does not work through NAT. If the AT in PAT also stands for address translation, it will not work either.

When a client tries to establish a connection, it hits one of the cluster's PM first; this PM sends back an IP for one of the servers in the cluster. In a NAT setting, this IP is useless to the client.

jman

NAT or any kind of address translation will not work. You have to use direct routing mode. Checkpoint firewall should support direct routing and I know customers using this config. and it works.