https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/88455#M11092 <P>As per 0.PNG, rule 2 is doing Hide NAT.&nbsp; Can you share NAT rule base?</P> Sun, 14 Jun 2020 03:11:57 GMT pal 2020-06-14T03:11:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/85452#M11090 <P>Hi,&nbsp;<BR /><BR />I'm currently using a SA R80.10 cloud-based lab&nbsp;environment.<BR /><BR />I have the following networks:</P><DIV class="data-container"><DIV class="list"><DIV class="list-item">10.159.253.0/24 - VPN&nbsp;<BR />10.159.11.0/24 - Server LAN (one IP is being used by Windows Server which acts as a DC)<BR />10.159.254.0/24 - FW External&nbsp;(eth0)<BR />10.159.0.0/24 - FW Internal (eth1)<BR />10.159.1.0/24 - User LAN (one IP is being used by Windows Server which acts as a client).&nbsp;</DIV></DIV></DIV><DIV class="data-container"><DIV class="list"><DIV class="list-item"><BR />1) I have configured a rule to allow the client to send DNS requests to the DC + Hide NAT for both networks.<BR />2) Since both networks are internal networks (Server LAN + User LAN), NAT should not take place at the first&nbsp;phase (when I execute nslookup and the client sends a packet from User-LAN to the DC which is part of Server Lan).<BR />3) Hide NAT should take place only when the DC sends a DNS request to the FW, and the FW realise that he needs to forward it using his external interface. ("o to O inspection point - after routing decision took place").<BR /><BR />For now, I have created a manual NAT rule that is located on top to bypass this.<BR />(original source: Client, Original destination DC, translated source: original, translated destination: original)<BR />Without this rule, anti-spoofing drops the traffic (because Xlate Source IP is 10.178.254.254 which is FW EXT eth0)</DIV></DIV></DIV><P><BR />Assistance would be greatly appreciated!&nbsp;<BR /><BR />I've tried several things... I will mention few of them:<BR />Under network management &gt; eth1 the network address is 10.178.0.254/24&nbsp;<BR />I clicked modify &gt; override &gt; specific and selected a group that contains server and user lan. set as detected.<BR />eth0 &gt; set as detect.&nbsp;<BR /><BR />The last thing I did is to go to Network topology and set eth1 to /24 and add the network group that contains server+user lan &amp; change eth0 s.mask to /32. It didn't work either....&nbsp;&nbsp;<BR /><BR /><BR />Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>&nbsp;</P> Sat, 16 May 2020 23:17:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/85452#M11090 efraim 2020-05-16T23:17:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/88443#M11091 <P>Nobody?&nbsp;</P> Sat, 13 Jun 2020 20:31:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/88443#M11091 efraim 2020-06-13T20:31:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/88455#M11092 <P>As per 0.PNG, rule 2 is doing Hide NAT.&nbsp; Can you share NAT rule base?</P> Sun, 14 Jun 2020 03:11:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Hide-NAT-issue-in-a-lab-environment/m-p/88455#M11092 pal 2020-06-14T03:11:57Z