https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184207#M30684 <P>I recommend engaging the TAC here: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Fri, 16 Jun 2023 19:16:52 GMT PhoneBoy 2023-06-16T19:16:52Z https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/183941#M30640 <P>Good afternoon.<BR /><BR />We have ISP1 and ISP2 configured on the security gateway.<BR />We also have NAT rules configured.<BR />ISP1 uses the external address of the Security Gateway. And ISP2 uses 4 addresses: one external from the Security Gateway and 3 not on the gateway. Proxy ARP is configured for these 3 external addresses.</P><P>For some reason, with problems with one ISP, encountered the following situation:<BR />1. The default route changes correctly (switches to the gateway of the desired ISP).<BR />2. NAT rules are not working. The NAT rule above (E.g.: ISP1 was working and become unreachable, then the route is changed to ISP2. BUT the NAT rule works for ISP1 because it is upstream to ISP2).</P><P>To solve the NAT problem, we modified the NAT rules according to sk174197. We added RNGX objects. Here is how it worked: we had the same rules with RNGX1 and the rule was repeated for RNGX2.<BR />NAT started working correctly (the addresses were hiding behind the right address, according to the automatic rule). But for some reason NAT didn't work for one subnet (there was no NAT in the logs, the checkpoint traffic let through) and the servers on that subnet didn't have Internet access.</P><P>Can you tell me what could be the problem?</P> Wed, 14 Jun 2023 08:03:42 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/183941#M30640 Oliver_222 2023-06-14T08:03:42Z https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184000#M30652 <P>Version/JHF of the gateway in question? (Or if it's an SMB, the firmware version)<BR />Please explain what is meant by "<SPAN>the NAT rule works for ISP1 because it is upstream to ISP2)."<BR />Also, showing the exact rules used would be helpful.<BR />Can you also provide a simple network diagram?</SPAN></P> Wed, 14 Jun 2023 18:23:15 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184000#M30652 PhoneBoy 2023-06-14T18:23:15Z https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184183#M30683 <P>R81.10 JHF Take 55<BR />3800 Appliance.<BR />When we shut down one ISP, the NAT rule worked the same and users and servers had no access to the internet. But when we raised ISP2 higher than ISP1, the NAT rule worked for ISP2 and there was internet access (picture 1).<BR />Setting NAT with RNGX (picture 2) - in this case everything worked correctly (as I think), the default route was changed to another provider, in the logs addresses were hidden behind the same provider. But only the subnet 172.16.0.0/24 didn't have Internet working.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21454i29CB1A59E2DD61EC/image-size/medium?v=v2&amp;px=400" role="button" title="1.png" alt="1.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21455i57D31BA058A61555/image-size/medium?v=v2&amp;px=400" role="button" title="2.png" alt="2.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21456i03F14F7025FF0902/image-size/medium?v=v2&amp;px=400" role="button" title="3.png" alt="3.png" /></span></P><P>   </P> Fri, 16 Jun 2023 11:43:32 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184183#M30683 Oliver_222 2023-06-16T11:43:32Z https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184207#M30684 <P>I recommend engaging the TAC here: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Fri, 16 Jun 2023 19:16:52 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184207#M30684 PhoneBoy 2023-06-16T19:16:52Z https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184904#M30802 <P>did you fix the problem? i'm interested in a similar scenario</P> Tue, 27 Jun 2023 08:34:02 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184904#M30802 CheckPointerXL 2023-06-27T08:34:02Z https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184908#M30803 <P>We are currently investigating the problem together with the TAC</P> Tue, 27 Jun 2023 08:53:45 GMT https://community.checkpoint.com/t5/General-Topics/Problem-with-NAT-and-ISP/m-p/184908#M30803 Oliver_222 2023-06-27T08:53:45Z