https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275551#M104959 <P>Automatic NAT will create the necessary proxy ARPs for NAT to work.<BR />In manual NAT, you also have to configure a proxy ARP:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk30197" target="_blank">https://support.checkpoint.com/results/sk/sk30197</A>&nbsp;</P> Wed, 15 Apr 2026 16:06:05 GMT PhoneBoy 2026-04-15T16:06:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275481#M104928 <P>Hi Team,</P><P>We have configured the public IP segment 71.56.98.x/28 on the Check Point firewall WAN interface (eth1).</P><P>Our requirement is to perform manual NAT with port forwarding for one of our internal servers. We are using one available public IP from the above subnet and mapping it to the internal server 10.20.30.40, with the following requirement:</P><UL><LI>External Port: 443 Internal</LI><LI>Destination: 10.20.30.40:8443</LI></UL><P>However, we are facing the following issue:</P><UL><LI>When configuring Static NAT (manual NAT), the setup is not working</LI><LI>When using Automatic NAT, it is working, but we are unable to perform port forwarding (443 → 8443)</LI></UL><P>Could you please help us understand:</P><OL><LI>Why manual NAT is not working in this scenario</LI><LI>The correct way to configure port forwarding using manual NAT in Check Point</LI></OL><P>Kindly assist with the correct configuration or any prerequisites we may be missing.</P><P>Thanks &amp; Regards,</P><P>Warren</P> Wed, 15 Apr 2026 07:05:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275481#M104928 WarrenJ1 2026-04-15T07:05:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275551#M104959 <P>Automatic NAT will create the necessary proxy ARPs for NAT to work.<BR />In manual NAT, you also have to configure a proxy ARP:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk30197" target="_blank">https://support.checkpoint.com/results/sk/sk30197</A>&nbsp;</P> Wed, 15 Apr 2026 16:06:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275551#M104959 PhoneBoy 2026-04-15T16:06:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275559#M104964 <P>Hi,<BR /><BR />Can you show us the configured access rules and NAT rules you have configured for this traffic?<BR /><BR />You mention NAT is working but unable to connect to the server. Is routing to the destination OK?<BR />Maybe anti-spoofing on the internal interface for the return traffic?<BR /><BR />What does the logs show?<BR /><BR />Martijn</P> Wed, 15 Apr 2026 16:57:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275559#M104964 Martijn 2026-04-15T16:57:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275561#M104965 <P>This is correct. Automatic NAT = you don't need to make proxy arp. With manual NAT you have to make proxy arp (unless you use IP that is configured on firewall interface). If you don't see the traffic in your traffic logs it is arp issue. You can confirm this by doing tcpdump on external interface. There you would see ARP request, who has IP XXX? And then no one will reply. With proxy arp the firewall reply and then the traffic will flow&nbsp;</P> Wed, 15 Apr 2026 17:17:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Manual-NAT-with-Port-Forwarding-on-Check-Point-Virtual-GW/m-p/275561#M104965 Lesley 2026-04-15T17:17:15Z