NAT Loopback - Hairpin NAT

ThabEugS — Fri, 10 Jan 2025 15:37:12 GMT

Good Day

We are trying to do allow hairpin NAT for our Mitel Voice system. We want our devices on the inside network to be able to reach the Mitel device, which is on the internal network, by its Public IP Address.

I have attached topology of the environment.

Tried sk110019 - not coming right

Regards

Re: NAT Loopback - Hairpin NAT

the_rock — Fri, 10 Jan 2025 15:48:38 GMT

Can you give an example of how you did the nat rule?

Andy

Re: NAT Loopback - Hairpin NAT

PhoneBoy — Fri, 10 Jan 2025 17:21:04 GMT

Here's what a Hairpin NAT rule is supposed to look like: https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-How/m-p/8466#M13082

Re: NAT Loopback - Hairpin NAT

Chillyjim — Fri, 10 Jan 2025 18:02:51 GMT

Just to make sure I understand, do you want something on the 5.0/24 network to hit 5.5 via 161.30.141.1.12? Do you need to hide the client's IP addresses (or, more precisely, can you?)?

Re: NAT Loopback - Hairpin NAT

ThabEugS — Sat, 11 Jan 2025 04:06:04 GMT

What about the firewall rules ?

Re: NAT Loopback - Hairpin NAT

the_rock — Sat, 11 Jan 2025 04:28:25 GMT

For regular fw rules, just make sure access is allowed.

Andy

Re: NAT Loopback - Hairpin NAT

the_rock — Sat, 11 Jan 2025 04:53:39 GMT

For what is worth, though I know you said you followed the sk AI gave me in this example, but see below, hope it helps.

Andy

************************************

This is Check Point AI Assistant.

To configure NAT Loopback (Hairpin NAT / NAT Reflection) on a Check Point Security Gateway, follow these steps:

Background

NAT Loopback allows internal clients to access an internal server using its public IP address. This is useful when internal clients need to access services using the same domain name or IP address as external clients.

Network Topology Example

Consider the following network topology:

Client #1: Public IP 2.2.2.2
Client #2: Private IP 192.168.1.10
Security Gateway: Public IP 1.1.1.1, Private IP 192.168.1.1
Web Server: Private IP 192.168.1.2

Steps to Configure NAT Loopback

In SmartConsole R80 and Higher

Create Host Objects:
- Create host objects for Client #1, Client #2, Security Gateway, and Web Server with their respective IP addresses.
Configure NAT Rules:
- Open the NAT policy in SmartConsole.
- Add the following NAT rules:

No.	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
1	Client #1's Public IP (2.2.2.2)	Web Server's Public IP (1.1.1.1)	http	Client #1's Public IP (2.2.2.2)	Web Server's Private IP (192.168.1.2)	= Original	Security Gateway
2	Client #2's Private IP (192.168.1.10)	Web Server's Public IP (1.1.1.1)	http	Security Gateway's Private IP (192.168.1.1)	Web Server's Private IP (192.168.1.2)	= Original	Security Gateway
3	Web Server's Private IP (192.168.1.2)	* Any	http	Web Server's Public IP (1.1.1.1)	= Original	= Original	Security Gateway

Install Policy:
- After configuring the NAT rules, install the policy on the Security Gateway.

In SmartDashboard R77.X and Lower

Create Host Objects:
- Create host objects for Client #1, Client #2, Security Gateway, and Web Server with their respective IP addresses.
Configure NAT Rules:
- Open the NAT policy in SmartDashboard.
- Add the following NAT rules:

No.	Original Packet	Translated Packet	Install On
1	Source: Client #1's Public IP (2.2.2.2), Destination: Web Server's Public IP (1.1.1.1), Service: http	Source: Client #1's Public IP (2.2.2.2), Destination: Web Server's Private IP (192.168.1.2), Service: = Original	Security Gateway
2	Source: Client #2's Private IP (192.168.1.10), Destination: Web Server's Public IP (1.1.1.1), Service: http	Source: Client #2's Private IP (192.168.1.10), Destination: Web Server's Private IP (192.168.1.2), Service: = Original	Security Gateway
3	Source: Web Server's Private IP (192.168.1.2), Destination: Any, Service: http	Source: Web Server's Public IP (1.1.1.1), Destination: = Original, Service: = Original	Security Gateway

Install Policy:
- After configuring the NAT rules, install the policy on the Security Gateway.

Important Notes

Ensure that the NAT rules are in the correct order.
Verify the connectivity and functionality after applying the NAT rules.

For more detailed information, you can refer to the Check Point support article sk110019.

Learn more:

sk110019 - How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway

Re: NAT Loopback - Hairpin NAT

ThabEugS — Fri, 17 Jan 2025 10:22:59 GMT

That is what i am looking for.

topic Re: NAT Loopback - Hairpin NAT in Firewall and Security Management

NAT Loopback - Hairpin NAT

Re: NAT Loopback - Hairpin NAT

Re: NAT Loopback - Hairpin NAT

Re: NAT Loopback - Hairpin NAT

Re: NAT Loopback - Hairpin NAT

Re: NAT Loopback - Hairpin NAT

Re: NAT Loopback - Hairpin NAT

Background

Network Topology Example

Steps to Configure NAT Loopback

In SmartConsole R80 and Higher

In SmartDashboard R77.X and Lower

Important Notes

Re: NAT Loopback - Hairpin NAT