topic Manual Static Nat in Firewall and Security Management

Manual Static Nat

Saurabh_Bajpai — Thu, 08 Oct 2020 06:04:19 GMT

Dear Mates ... I configured below manual static NAT in my checkpoint firewall.

1.1.1.1(Public IP)---->Manual Nat----> 192.168.10.1(Port 80)(Private IP)

From Public IP 1.1.1.10, Able to access 1.1.1.1 on port 80
but from 192.168.10.100 (Local Lan) not able to access natted 1.1.1.1(Public IP) on port 80

Please help to get access 1.1.1.1 port 80 from local lan ip's

Re: Manual Static Nat

G_W_Albrecht — Thu, 08 Oct 2020 08:16:28 GMT

Usually, you create a server object with IP 192.168.10.1. Inside, you define NAT in the NAT tab using 1.1.1.1. This should create all needed rules and work as you expect.

Re: Manual Static Nat

PhoneBoy — Thu, 08 Oct 2020 17:07:40 GMT

You’ll need to do a variation of: https://community.checkpoint.com/t5/Next-Generation-Firewall/Traffic-flow-in-between-C-to-S-via-Firewall-How/m-p/8465
Specifically, you’ll have to ensure the traffic from the LAN to this address is hidden behind the firewall IP so the return traffic will work.

Re: Manual Static Nat

Saurabh_Bajpai — Sat, 10 Oct 2020 09:53:18 GMT

Thanks for your response. Solution helped me to get access 1.1.1.1 from 10.x segment.

Requesting your help to rectify some NAT issue.

NAT RULE created to achieve below mentioned use case.

192.168.10.210 --> Inbound from any - 1.95 (Static NAT)

192.168.10.210 --> Outbound to any - 1.98 (Manual NAT)

192.168.10.210 ---> Outbound to 122.100.132.X - 1.90 ( Manual NAT)

192.168.10.210 ---> inbound from 10.10.10.x - 10.10 (Manual NAT)

192.168.10.210 ---> outbound to 10.10.10.x - 10.10 (Manual NAT)

-----------------------------------------------------------------------

192.168.10.46 --> Inbound from any - 1.100 (Static NAT)

192.168.10.46 --> Outbound to any - 1.98 (Manual NAT)

192.168.10.46 ---> Outbound to 122.100.132.X - 1.90 ( Manual NAT)

192.168.10.46 ---> inbound from 10.10.10.x - 10.11 (Manual NAT)

192.168.10.46 ---> outbound to 10.10.10.x - 10.11 (Manual NAT)

----------------------------------------------------------------------------

192.168.10.0/24 --> Outbound to any - 1.98 (Hide NAT)

After configuring NAT to achieve above mentioned cases. Facing an issue for outbound traffic towards internet.

I have checked to ping 8.8.8.8 from 10.46,10.210,10.25 & found 10.46 & 10.25 are able to ping 8.8.8.8 both are translating but 10.210 is not.

seems issue between 10.46 & 10.210 bcoz who initiated ping first able to communicate & second ip is not.

Pls help to resolve such issue coz there are 60-70 servers for which i need to configure outbound as 1.98.