https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143014#M22166 <P>Interestingly, if you specify a range instead of a network, then it gets translated like for like.</P> Fri, 04 Mar 2022 19:30:16 GMT Ruan_Kotze 2022-03-04T19:30:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/142973#M22157 <P>Hi!</P><P>I don't understand why/how the following scenario works.</P><P>SMS is R81.10, Gateway is R80.40</P><P>I can set a Static NAT IP for a network object and can successfully install policy.</P><P>eg. setting STATIC NAT IP 10.0.113.2 on the network A-INT_NET (192.168.11.0/24)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="static nat applied.jpeg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15598iD90D0B4E812BABA9/image-size/large?v=v2&amp;px=999" role="button" title="static nat applied.jpeg" alt="static nat applied.jpeg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>In NAT rulebase&nbsp; - rule no 10 appears</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="nat rulebase.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15599i42FD8EEA6C030C17/image-size/large?v=v2&amp;px=999" role="button" title="nat rulebase.jpg" alt="nat rulebase.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Traffic to outside works for 2 hosts on that network. (I also have a second hide NAT that's made in pfsense above the lab environment)</P><P>Even weirder is that CKP logs shows succesful Source NAT, but not with .2 as in the rule, but with .204 which I don't even know where it appeared from. The Gateway's IP is 10.0.113.1</P><P>The virtual router above CKP lab doesn't have DHCP server active so that .204 IP couldn't have come from that.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="log.jpeg" style="width: 755px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15600iFDE13F75CD6B7925/image-size/large?v=v2&amp;px=999" role="button" title="log.jpeg" alt="log.jpeg" /></span></P><P>&nbsp;</P> Fri, 04 Mar 2022 10:43:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/142973#M22157 LucianLS 2022-03-04T10:43:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143008#M22164 <P>Setting a static NAT on a network object does work, but almost certainly not the way expected.&nbsp; What you have done is NATed the entire&nbsp;<SPAN>192.168.11.0/24 network to the entire 10.0.113.0/24 network.&nbsp; So traffic coming from 192.168.11.111 will be NATted to 10.0.113.111, 192.168.11.17 will be NATted to 10.0.113.17, etc.&nbsp; I think Cisco used to call this "LAN-to-LAN NATting", and this type of NAT operation just swaps out the network portion of the IP address (first three octets with a /24) and leaves the host portion (last octet) intact.</SPAN></P> Fri, 04 Mar 2022 17:50:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143008#M22164 Timothy_Hall 2022-03-04T17:50:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143010#M22165 <P>I believe the IPs in translated subnet are chosen randomly, so say if source is x.x.x.222, then dst might be y.y.y.252.</P> Fri, 04 Mar 2022 19:52:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143010#M22165 the_rock 2022-03-04T19:52:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143014#M22166 <P>Interestingly, if you specify a range instead of a network, then it gets translated like for like.</P> Fri, 04 Mar 2022 19:30:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143014#M22166 Ruan_Kotze 2022-03-04T19:30:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143015#M22167 <P>Thats right, exactly how it works on Cisco.</P> Fri, 04 Mar 2022 19:43:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/143015#M22167 the_rock 2022-03-04T19:43:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/146899#M23387 <P>I have been using static network to network NAT with VPNs for years, it works exactly as expected. For example: orig_src:10.23.0.0/16 xlate_src:192.168.0.0/16 will NAT the 3rd and 4th octet one to one. Where is this documented within Check Point's admin guides? Is there an sk?</P><P>Thanks.</P> Fri, 22 Apr 2022 23:25:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Static-NAT-for-an-entire-network-object-why-does-this-work/m-p/146899#M23387 dagnabber 2022-04-22T23:25:17Z