https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78356#M6027 <P>The best way, in my opinion, to wait and see the BGP peer come up and the routes for it, then create a dynamic object or network group and the do the NAT-ing.</P> Sun, 15 Mar 2020 17:16:14 GMT funkylicious 2020-03-15T17:16:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78215#M6005 <P>I currently have CP 12600 firewall with an external interface to internet and internal interface. We have&nbsp; NAT defined for all external flows. I want to create another external interface that will receive dynamic routes via BGP . I also want to assign a NAT pool to SNAT all flows sent via this interface. The challenge I have is how do I define this NAT when the destination ranges are dynamic and unknown ? My existing NAT from internal to external internet has 'any' for destination ranges which will overlap with any new NAT rules that can create.&nbsp;<BR />In summary,<BR />a.how do I define NAT pool to SNAT all traffic send via the new interface ?<BR />b. if there are overlapping NAT statements will CP check outgoing interface based on routing before deciding the NAT statement to use ? or will it process on the basis of order of NAT statements ?&nbsp;</P> Fri, 13 Mar 2020 14:11:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78215#M6005 colfer 2020-03-13T14:11:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78346#M6024 <P>Well, do you want to use ECMP ( which should be enabled by default ) to load balance the traffic or just move all traffic to the new interface ?</P><P>If you want to move it to the new one, just change the nexthop for the default route and modify NAT table accordingly.</P><P>Otherwise, just add another default route with the nexthop and add another rule with dst any ( haven't tested, but should work ).</P><P>&nbsp;</P> Sun, 15 Mar 2020 14:18:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78346#M6024 funkylicious 2020-03-15T14:18:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78347#M6025 <P>Hi -The current internet interface will be the one used by default;however, I want routes received via BGP on the new interface to be NAT’d using a separate pool of IP addresses. As I don’t know what these addresses are beforehand , how will I define the NAT?&nbsp;<BR /><BR /></P> Sun, 15 Mar 2020 14:34:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78347#M6025 colfer 2020-03-15T14:34:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78356#M6027 <P>The best way, in my opinion, to wait and see the BGP peer come up and the routes for it, then create a dynamic object or network group and the do the NAT-ing.</P> Sun, 15 Mar 2020 17:16:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NAT-with-Multiple-external-interfaces/m-p/78356#M6027 funkylicious 2020-03-15T17:16:14Z