topic Re: NAT+FQDN in Firewall and Security Management

NAT+FQDN

Aleksander_Osma — Fri, 18 Aug 2023 07:54:29 GMT

Hi all

Tell me how to implement NAT correctly ( i have R81.20 , 1-RealIP )

I need next scenario as picture.

1 Web.somedomain.con nat to internal webserver-1

2 Web2.somedomain.con nat to internal webserver-2

3 Web3.somedomain.con nat to internal webserver-3

I set nat

Source(GeoIP)---Dest(Web.somedomain.con)--Services(http/https) ----> Redirect ( Source as is) ----dest ( LocalWebserver) --Services (http\https)

But don't work

Re: NAT+FQDN

PhoneBoy — Fri, 18 Aug 2023 13:33:05 GMT

How exactly is the gateway supposed to know on the first packet which of the three websites is trying to be accessed when they all have the same IP?
Which means: this won’t work.

It should work if you configure inbound HTTPS Inspection and use the same certificate for all three sites (each site is covered in the SNI of the certificate).
And, in this case, it would only work for HTTPS.

Re: NAT+FQDN

Aleksander_Osma — Fri, 18 Aug 2023 18:04:22 GMT

maybe I didn't explain correctly

My CPGW have 1 externalip , i need to nat some services redirect to internal server

Example

web.domain.com have ip 1.1.1.1 need to redirect to internal server 1.1.1.1

mail.domain.com have ip 1.1.1.1 need redirect to internal server 2.2.2.2

domain.domnain.com have ip 1.1.1.1 need to redirect server 3.3.3.3

etc

Re: NAT+FQDN

RS_Daniel — Fri, 18 Aug 2023 18:44:08 GMT

Hello,

I think phoneboy answered exactly what you are asking for. There is no way the firewall knows what is the domain to which the request is addressed only with NAT. You can use inbound https inspection as per phoneboy recomendation. You can also use reverse proxy feature exaplained here:

https://support.checkpoint.com/results/sk/sk110348

You must consider that only one https certificate is supported for all https sites, so it should be a wildcard. Another option i see is that the each domain use a different port to differentiate between them, for example:

web.domain.com:4000 have ip 1.1.1.1 need to redirect to internal server 1.1.1.1

mail.domain.com:4001 have ip 1.1.1.1 need redirect to internal server 2.2.2.2

domain.domnain.com:4002 have ip 1.1.1.1 need to redirect server 3.3.3.3

Of course a dedicated reverse proxy can also do the job, as nginx. Hope some option is useful.

Regards

Re: NAT+FQDN

Bob_Zimmerman — Sat, 19 Aug 2023 00:19:52 GMT

As long as the services are all on different ports, you can make a NAT rule for each port you want to translate differently.

Any/1.1.1.1/TCP80 translate to Original/webserver-1/Original

Any/1.1.1.1/TCP25 translate to Original/mailserver-1/Original

Any/1.1.1.1/UDP53 translate to Original/nameserver-1/Original

etc.

Note that this would allow people to think they're connecting to web.domain.com on port 25.