https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172940#M31433 <P>Hello&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/89917">@CheckGatzMet</a>&nbsp;,</P> <P>&nbsp;</P> <P>So per my understanding, you're trying to do the following:</P> <P>&nbsp;- when you try to reach&nbsp;<SPAN>200.200.200.200.10 from LAN side clients&nbsp;10.10.10.100 you show as coming from DMZ&nbsp;172.10.10.100 .<BR /><BR /></SPAN></P> <P><SPAN>That I have to try, but I think it's doable, the only problem that I would see, is that you would might have some spoofing alerts/errors.<BR /><BR />You can do the NAT rule, on specific port, and see how it goes, and that NAT rule needs to be on TOP of all others, or almost on top of them, depending how you have the NAT layered...</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thank you,</SPAN></P> <P>PS: we have similar NAT rules, but not 100% like in your scenario, and works well.</P> <P>&nbsp;</P> Tue, 28 Feb 2023 06:25:57 GMT Sorin_Gogean 2023-02-28T06:25:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172420#M31332 <P class="">Uturn Nat Firewall Checkpoint</P><P class="">Hello good evening, first of all, thank you for your time, good vibes and your collaboration.</P><P class="">-How can I configure a DNAT U-turn NAT on Checkpoint firewalls ?</P><P class="">That is to say that in a scheme like the following:</P><P class="">Checkpoint Interfaces: Internet 200.200.200.200.10/28 - DMZ 172.10.10.0/25 - LAN Users: 10.10.10.0/24.</P><P class="">-The DNAT all OK from the public IP against the DMZ, from Interrnet.</P><P class="">Now how can I configure a Uturn NAT, that is to say that from the LAN Users, a user with IP 10.10.10.100 connects to the 200.200.200.10 and DNAT is applied against the Ip of the DMZ 172.10.10.100.</P><P class="">Thanks in advance for your comments, tips, etc.</P><P class="">Regards</P> Thu, 23 Feb 2023 06:24:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172420#M31332 CheckGatzMet 2023-02-23T06:24:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172865#M31427 <P>Since the traffic has to traverse the gateway to get to the Internet and any traffic from the DMZ also traverses the gateway, this really isn't U-turn NAT.<BR />In any case, you configure manual NAT rules with the explicit source LAN, destination, and translated source IP (specifically DMZ) as a HIDE address.<BR /><BR /></P> Mon, 27 Feb 2023 18:29:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172865#M31427 PhoneBoy 2023-02-27T18:29:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172872#M31428 <P>Learned something new today...only U-turn I ever knew was with a car lol. Anyway, reading about it online, I see the point&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;made, makes sense.</P> Mon, 27 Feb 2023 19:13:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172872#M31428 the_rock 2023-02-27T19:13:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172932#M31432 <P>Hello, thanks a lot for your comments</P><P>Both Cisco firewalls, Palo Alto, among others, name this type of communication, this type of NATs, as U-TURN others as Hairpin.</P><P>In fact you can look it up in the "sk110019", where Checkpoint details its configuration, it names it as Hairpin NAT / NAT Reflection.</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110019" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110019</A></P><P>Cheers</P> Tue, 28 Feb 2023 02:14:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172932#M31432 CheckGatzMet 2023-02-28T02:14:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172940#M31433 <P>Hello&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/89917">@CheckGatzMet</a>&nbsp;,</P> <P>&nbsp;</P> <P>So per my understanding, you're trying to do the following:</P> <P>&nbsp;- when you try to reach&nbsp;<SPAN>200.200.200.200.10 from LAN side clients&nbsp;10.10.10.100 you show as coming from DMZ&nbsp;172.10.10.100 .<BR /><BR /></SPAN></P> <P><SPAN>That I have to try, but I think it's doable, the only problem that I would see, is that you would might have some spoofing alerts/errors.<BR /><BR />You can do the NAT rule, on specific port, and see how it goes, and that NAT rule needs to be on TOP of all others, or almost on top of them, depending how you have the NAT layered...</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thank you,</SPAN></P> <P>PS: we have similar NAT rules, but not 100% like in your scenario, and works well.</P> <P>&nbsp;</P> Tue, 28 Feb 2023 06:25:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uturn-Nat-Firewall-Checkpoint/m-p/172940#M31433 Sorin_Gogean 2023-02-28T06:25:57Z