topic Re: Apply NAT to subnet that is not physically configured on the gateway cluster in General Topics

Apply NAT to subnet that is not physically configured on the gateway cluster

Ian_Cresswell — Sat, 10 Dec 2022 12:18:31 GMT

At the moment we have an external /24 subnet applied to the external interfaces of our checkpoint cluster, we use this subnet to do all of our NAT's for our DMZ's.
We are moving to a datacentre where they will not be able to supply us with a /24 subnet directly.
What they will do is provide us with a /28 "transit" subnet and then will provide us a larger "hosting" subnet behind this "transit" subnet.
I will apply IP's from the transit subnet to the gateways and to the vip of the gateways cluster, the datacentre will route to the "hosting" subnet via the vip of our gateways cluster transit IP.
I will then apply the NAT's for our DMZ to the "hosting" subnet on the checkpoints.
Is this a viable setup, I want to make sure this will work before we move to the datacentre as our maintenance window will be fairly small

Re: Apply NAT to subnet that is not physically configured on the gateway cluster

Chris_Atkinson — Sat, 10 Dec 2022 12:30:05 GMT

Yes this should work exactly as expected.

In my view it's a better option since it doesn't require proxy-arp.

Re: Apply NAT to subnet that is not physically configured on the gateway cluster

the_rock — Sat, 10 Dec 2022 13:34:22 GMT

Yea, I agree with Chris. I dont see why it would not work...plus, I dont see many people these days even having to do proxy-arp any more for destination NAT.