https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238631#M39842 <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Configuring-NAT-Policy.htm?TocPath=Creating%20an%20Access%20Control%20Policy%7CConfiguring%20the%20NAT%20Policy%7C_____0" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Configuring-NAT-Policy.htm?TocPath=Creating%20an%20Access%20Control%20Policy%7CConfiguring%20the%20NAT%20Policy%7C_____0</A></P> <P>NAT (Network Address Translation) is a feature of the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_fwcap variable">Firewall</SPAN><SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_sblade variable"><A class="MCTextPopup MCTextPopupHotSpot MCTextPopupHotSpot_ #text MCTextPopup_Closed" role="button" href="https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuide/Topics-SECMG/Configuring-NAT-Policy.htm?TocPath=Creating%20an%20Access%20Control%20Policy%7CConfiguring%20the%20NAT%20Policy%7C_____0#" data-mc-state="closed" data-aria-describedby="ea9a5e90-ba03-412b-8fb5-0bbd4b610425" target="_blank">Software Blade</A></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Lesley_0-1736930943173.gif" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29221i2BB3AA58046F195F/image-size/medium?v=v2&amp;px=400" role="button" title="Lesley_0-1736930943173.gif" alt="Lesley_0-1736930943173.gif" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN>and replaces IPv4 and IPv6 addresses to add more security. NAT protects the identity of a network and does not show internal IP addresses to the Internet.</P> <P>The<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable">Security Gateway</SPAN><SPAN>&nbsp;</SPAN>can change:</P> <UL> <LI> <P>The source IP address in a packet.</P> </LI> <LI> <P>The destination IP address in a packet.</P> </LI> <LI> <P>The TCP / UDP port in a packet. (ICMP is not TCP or UDP)</P> </LI> </UL> Wed, 15 Jan 2025 08:49:20 GMT Lesley 2025-01-15T08:49:20Z https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238605#M39835 <P>Dear Checkmates,</P><P>I'm having problem creating DST NAT rule for an ICMP traffic, I'm forced to create a rule with services as "ANY" for this to work.&nbsp;</P><P>Can someone let me know if this is a limitation and so please share the relevant document from Check Point.</P><P>Thanks in advance!</P><P>=======</P><P>WR,</P><P>FH</P> Wed, 15 Jan 2025 07:12:10 GMT https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238605#M39835 Firewall_Head 2025-01-15T07:12:10Z https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238631#M39842 <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Configuring-NAT-Policy.htm?TocPath=Creating%20an%20Access%20Control%20Policy%7CConfiguring%20the%20NAT%20Policy%7C_____0" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Configuring-NAT-Policy.htm?TocPath=Creating%20an%20Access%20Control%20Policy%7CConfiguring%20the%20NAT%20Policy%7C_____0</A></P> <P>NAT (Network Address Translation) is a feature of the<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_fwcap variable">Firewall</SPAN><SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_BladesFeatures.tp_sblade variable"><A class="MCTextPopup MCTextPopupHotSpot MCTextPopupHotSpot_ #text MCTextPopup_Closed" role="button" href="https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuide/Topics-SECMG/Configuring-NAT-Policy.htm?TocPath=Creating%20an%20Access%20Control%20Policy%7CConfiguring%20the%20NAT%20Policy%7C_____0#" data-mc-state="closed" data-aria-describedby="ea9a5e90-ba03-412b-8fb5-0bbd4b610425" target="_blank">Software Blade</A></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Lesley_0-1736930943173.gif" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29221i2BB3AA58046F195F/image-size/medium?v=v2&amp;px=400" role="button" title="Lesley_0-1736930943173.gif" alt="Lesley_0-1736930943173.gif" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN>and replaces IPv4 and IPv6 addresses to add more security. NAT protects the identity of a network and does not show internal IP addresses to the Internet.</P> <P>The<SPAN>&nbsp;</SPAN><SPAN class="mc-variable Vars_Other.tp_sgate variable">Security Gateway</SPAN><SPAN>&nbsp;</SPAN>can change:</P> <UL> <LI> <P>The source IP address in a packet.</P> </LI> <LI> <P>The destination IP address in a packet.</P> </LI> <LI> <P>The TCP / UDP port in a packet. (ICMP is not TCP or UDP)</P> </LI> </UL> Wed, 15 Jan 2025 08:49:20 GMT https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238631#M39842 Lesley 2025-01-15T08:49:20Z https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238651#M39850 <P><SPAN><A href="https://community.checkpoint.com/t5/Management/Destination-NAT-with-ICMP/m-p/19275#M16164" target="_blank">https://community.checkpoint.com/t5/Management/Destination-NAT-with-ICMP/m-p/19275#M16164</A></SPAN></P> <P><A href="https://support.checkpoint.com/results/sk/sk66506" target="_blank" rel="noopener"><SPAN>sk66506: <STRONG>ICMP</STRONG> Error packets are not translated according to <STRONG>NAT</STRONG> rulebase</SPAN></A></P> <P><A href="https://support.checkpoint.com/results/sk/sk172933" target="_blank" rel="noopener"><SPAN>sk172933: <STRONG>NAT</STRONG> FAQ</SPAN></A></P> Wed, 15 Jan 2025 11:18:06 GMT https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238651#M39850 G_W_Albrecht 2025-01-15T11:18:06Z https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238703#M39859 <P>The NAT rulebase only permits usage of TCP and UDP services.&nbsp;<BR />I don't believe this is explicitly documented as SmartConsole provides an appropriate error when you attempt this configuration.<BR />This is also a long-standing limitation going back to the earliest days of the product.</P> <P>Having said that, the NAT rulebase only applies if the traffic is permitted by the Access Policy.</P> Wed, 15 Jan 2025 19:49:52 GMT https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238703#M39859 PhoneBoy 2025-01-15T19:49:52Z https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238706#M39861 <P>You get a validation error when you try to sneak ICMP in a group in the rule. If you try to select icmp itself you cannot find it to select in the drop down menu&nbsp;</P> Wed, 15 Jan 2025 19:58:02 GMT https://community.checkpoint.com/t5/General-Topics/Unable-to-create-destination-NAT-rule-for-ICMP-service/m-p/238706#M39861 Lesley 2025-01-15T19:58:02Z