topic NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 Appliance? in Firewall and Security Management

NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 Appliance?

Dimitar139594 — Fri, 20 Mar 2026 07:23:08 GMT

Hi everyone,

I’m running into a bit of a routing/NAT challenge on a Check Point 2500 Security Gateway (R82.00.05) and could use some collective wisdom.

The Scenario: I need to set up Static NAT for a few internal servers. Usually, this is straightforward when the servers are in a direct LAN segment. However, these specific servers live in a different building/VLAN that is routed to the Check Point via a core switch.

Checkpoint Internal IP: 10.0.1.1/24
Target Server IP: 192.168.50.10 (reachable via a static route/OSPF pointing to a core switch at 10.0.1.2)
Goal: Map a Public IP (1.1.1.10) to the Internal Server (192.168.50.10).

The Problem: When I configure the NAT rule and the Host object, the traffic seems to die at the gateway. I suspect the issue is related to Proxy ARP or the gateway not knowing how to handle the "non-local" destination for a NATed packet.

A few specific questions for the experts:

Since the target IP isn't on a local interface, do I still need a manual Proxy ARP entry for the Public IP?
Is there a specific setting in the NAT tab of the Host object (like "Install on Gateway") that I should be wary of in a routed environment?
Do I need to create a "dummy" interface or use a specific Routing/NAT trick to make the 2500 realize it should forward that translated packet back to the core switch instead of looking for it on the local wire?

I’ve checked the logs in SmartConsole, and I see the hits, but no return traffic. Any advice on the "Check Point way" to handle NAT for remote internal subnets would be greatly appreciated

Re: NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 A

emmap — Fri, 20 Mar 2026 08:18:18 GMT

No to all of the above. How are you doing the NAT? You shouldn't have to adjust anything, really. Think of what the IP headers are on the packet pre- and post-NAT and make sure the routing across the rest of the network will send the return packet back to the gateway.

Re: NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 A

Dimitar139594 — Fri, 20 Mar 2026 12:58:04 GMT

The outgoing traffic of the hosts on the remote networks is routed correctly - they have Internet access with "Hide internal networks behind the gateway's external IP address" enabled

I have tried both with standard Server forwarding rules and manual NAT. Also added firewall rules to accept traffic from and to the remote networks.

Traffic reaches the WAN interface but does is not sent out on the LAN interface.

Re: NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 A

NikitaOstrovsky — Sat, 21 Mar 2026 18:49:57 GMT

Hi ,

I'm not sure what is a flow here but I definitely see possible problematic points that I would advise to check. First, you don't need to set any proxyARP if you do static NAT as you described (creating a host object and setting static NAT within). Your remote internal host must have the same flow of static NAT. Check that your rulebase is not dropping that connection. Finally, trace route or tcpdump can help you))) Good luck!! BTW, if this is always one way servers call, you can use hide NAT on origin

Re: NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 A

emmap — Mon, 23 Mar 2026 03:32:30 GMT

In theory, if we are allowing inbound traffic from the internet here, all you should need here is a rule in the policy allowing access to the network host object for that server, then inside that host object configure your static NAT IP.