topic Re: STATIC NAT in Azure Checkpoint in Cloud Firewall

STATIC NAT in Azure Checkpoint

upendras — Wed, 19 Feb 2020 12:56:07 GMT

How to configure Static NAT (Bi-directional) and Outbound NAT (Source NAT) in Azure Checkpoint.

I have 3 VMs and want to send outbound traffic towards internet each with unique public IP. how can we configure such type of NAT in Azure checkpoint point.

Thanks

Upen

Re: STATIC NAT in Azure Checkpoint

Matthias_Haas — Wed, 15 Apr 2020 04:45:39 GMT

Hi Upen,

are you using a Single Gateway ?

In this case you could use additional public/private IPs on the external Interface (eth0) of the FW:

and do the Source NAT for each vm on the FW (to the Private IP, Azure in return is then NATing to the Public IP)

At least a outbound NAT is possible in this case.

Matthias

Re: STATIC NAT in Azure Checkpoint

upendras — Thu, 20 Feb 2020 07:10:11 GMT

I have cluster in Azure.. and want to outbound NAT like VM private IP 10.1.1.1 go to Internet, it will be NATTed with 1.1.1.1

please help me suggest how can I achieve this...

Thanks

Upen

Re: STATIC NAT in Azure Checkpoint

bmomartins — Wed, 13 May 2020 16:54:42 GMT

Hello @Matthias_Haas,

That will not work for an HA cluster, since that from Azure side you'll not be able to assign the same Public IP object to two different network interfaces.

How can we bypass this?

Cheers!

Re: STATIC NAT in Azure Checkpoint

Nick_Mandafouni — Fri, 13 Aug 2021 11:39:41 GMT

Is there any resolution to this? How do we fix this on an HA Cluster ?

Thanks

Re: STATIC NAT in Azure Checkpoint

yunier88 — Fri, 27 Aug 2021 19:15:35 GMT

Hello there,
In my case I need to know how to add a new public IP in my FW to be used by my prod Vnet in outbond. Currently all my VNETS (backend) when they go to the internet use the same public IP. But in my environment I need the Prod VNET to use a different public IP than the rest of the other Vnets. Somebody could help me? Thanks

Re: STATIC NAT in Azure Checkpoint

Nir_Shamir — Sun, 29 Aug 2021 07:01:42 GMT

Hi,

I know that if you remove the Public IPs from the instances themselves (not the VIP) then the GWs will go out via the Frontend LB and then you can create an Outbound NAT rules on the Frontend LB with a different PIP which is allocated on the Frontend LB

Re: STATIC NAT in Azure Checkpoint

yunier88 — Wed, 01 Sep 2021 17:34:04 GMT

Hello there,

Do you have an example of the necessary rules to create in the Firewall and in the Load Balancer?

Thanks

Re: STATIC NAT in Azure Checkpoint

Nir_Shamir — Thu, 02 Sep 2021 12:03:48 GMT

usually the frontend-lb is created with an example rule you can copy. the Firewall NAT rules can be seen our admin guide:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Content/Topics-Azure-HA/Workflow-for-Setting-Up-a-High-Availability-Cluster-in-Azure.htm?tocpath=Workflow%20for%20Setting%20Up%20a%20High%20Availability%20Cluster%20in%20Azure%7C_____0#Step_7__Set_Up_the_External_Load_Balancer_in_Azure

Re: STATIC NAT in Azure Checkpoint

yunier88 — Thu, 02 Sep 2021 15:47:42 GMT

Just to be sure, this information that you share with me is for outbond traffic. Since in my case I already managed to carry out inbound traffic with an LB. Thanks

Re: STATIC NAT in Azure Checkpoint

Nir_Shamir — Sun, 05 Sep 2021 07:58:01 GMT

no, that's for Inbound traffic.

For outbound you need to create outbound NAT rules on the Fronend-LB.

Re: STATIC NAT in Azure Checkpoint

yunier88 — Wed, 08 Sep 2021 15:31:56 GMT

Hello there,

Do you know where I can find some configuration example?

Thanks

Re: STATIC NAT in Azure Checkpoint

Nir_Shamir — Thu, 09 Sep 2021 08:09:35 GMT

I don't know if there are examples some where but the procedure is like this:

1) remove the PIPs from the Cluster members.

2) add a NAT rule which hides you specific traffic behind the cluster members external IP (Dynamic object named 'LocalGatewayExternal'

3) create an Outbound rule on the Frontend-LB behind a specific Frontend PIP for your specific traffic.

all the traffic that equals to that rule will be hidden behind the Frontend-LB PIP and not the Cluster VIP.

Re: STATIC NAT in Azure Checkpoint

yunier88 — Thu, 09 Sep 2021 14:15:18 GMT

Hello there,

In my case it is a single gateway. The procediment will be the same?

On the other hand when you say: 1) remove the PIPs from the Cluster members.
In my case I cannot delete my only public IP from the Gateway, it is used for S2S and P2S VPN connection. Please can you explain in more detail?

Thanks

Re: STATIC NAT in Azure Checkpoint

yunier88 — Thu, 09 Sep 2021 15:17:55 GMT

Hello there,

In this solution you provide. Is it necessary to change something in the routing of the FW? So that the main public IP (created by default) remains the IP for S2S and P2S VPN and Hide nat?

Thx

Re: STATIC NAT in Azure Checkpoint

Nir_Shamir — Sun, 12 Sep 2021 06:56:00 GMT

On a single gateway it's much more easier.

you can add a secondary private IP on the external interface of the Gateway (usually eth0) and attach to it a new PIP.

then in the rule base you do Source-NAT on your specific server and hide it behind the new Private IP you added.

From there it will be hidden behind the new PIP.

Re: STATIC NAT in Azure Checkpoint

PhoneBoy — Mon, 13 Sep 2021 02:19:28 GMT

For VPN to work in this situation, you'll probably have to adjust the Link Selection setting in the relevant gateway object to use the public IP.

Re: STATIC NAT in Azure Checkpoint

yunier88 — Tue, 14 Sep 2021 19:40:51 GMT

Thanks, I'll try that solution

Re: STATIC NAT in Azure Checkpoint

yunier88 — Tue, 14 Sep 2021 19:41:49 GMT

Hi,

Here I share a screenshot of my configuration in Link selection settings. Do you think the configuration is correct for the main public IP (created by default) remains the IP for S2S and P2S VPN and Hide nat? The ip you see in the screenshot 52xxxxxx is my main public IP.
Do you think that with this configuration there is no problem when I create other public IPs in the eth0 interface of my FW?

Thank you

Re: STATIC NAT in Azure Checkpoint

PhoneBoy — Tue, 14 Sep 2021 20:50:33 GMT

Yes this is how you’d configure it.