Showing results for 
Search instead for 
Did you mean: 

NAT-T support on the Checkpoint Firewall


What is NAT-T?

Any incoming packets (which come directly from unsolicited sources) would be blocked by such a NAT appliance, as the internal PC’s and IP phone extensions are non-routable from the public network. But most of the incoming calls in IP Telephony (SIP, MGCP) and Video Conferencing applications (H.323) come directly from external sources. Also complicating the whole thing is the behaviour of some firewalls: Some firewalls block traffic based on the direction of their flow. They do not allow packets from outside the network to come inside, without any of the internal systems requesting for the same. But the very idea of IP telephony is to allow anyone from outside to call anyone inside the network. So, in such cases NAT/Firewall traversal is required selectively.


NAT-T (Network Address Translation [NAT] Traversal) does not work with Checkpoint firewalls. NAT-T is not Cisco proprietary (RFC 3947)

IPSec NAT Transparency delivers these benefits:

  • Simplified deployment eliminates the need to know that NAT and Port Address Translation (PAT) devices exist between the two IPSec endpoints.  
  • IPSec NAT-T enables a complete IPSec VPN solution. NAT and PAT devices are now effectively transparent. All IPSec VPN features are available to the customer during the design and deployment of an IPSec VPN solution.      

For information on how to use NAT-T on the Cisco VPN 3000 Concentrator, refer to the IPSec NAT-T section of Tunneling Protocols\r\n.

For documentiation on how to configure NAT-T on the PIX Firewall, refer to the Using NAT Traversal section of Configuring IPSec and Certification Authorities.

For documentation about NAT-T on Cisco IOS  routers, refer to IPSec NAT Transparency.

Content for Community-Ad