Checkpoint NG AI VPN gatewa behind NAT

You will need to forward all ports on the machine doing NAT to the gateway related to SecurClient/SecureRemote.

From their KB:

If there are other firewalls along the path connecting the SecuRemote Client (that performs the encryption) and the VPN-1/FireWall-1 Server (the VPN-1/FireWall-1 Module that performs the decryption), configure the other firewalls to allow FW-1 services to pass from the SecuRemote Client to the SecuRemote Server.

Allow the following services:

TCP/264 (Topology Download) IKE IPSEC and IKE (UDP on port 500) IPSEC ESP (IP type 50) IPSEC AH (IP type 51) TCP/500 (if using IKE over TCP) UDP 2746 or another port (if using UDP encapsulation)

SecureClient specific connections:

FW1_scv_keep_alive (UDP port 18233) ? used for SCV keep-alive packets FW1_pslogon_NG (TCP port 18231) or (TCP port 65524 for Application Intelligence) ? used for SecureClient's logon to Policy Server protocol FW1_sds_logon (TCP port 18232) ? used for SecureClient's Software Distribution Server download protocol tunnel_test (UDP port 18234) - used by Check Point tunnel testing application

abd how to solve source address that checkpoint use for packets. It uses private IP address