https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28618#M5838 <HTML><HEAD></HEAD><BODY><P>We don't appear to be able to get a NAT rule to apply on traffic on an internal interface of a Gaia security gateway.</P><P></P><P>Background:</P><P style="padding-left: 30px;">We have been using Squid proxies for over 20 years and have a variety of systems and deployment tools that have the proxy hard coded (cache.lair.co.za:3128). Whilst it is possible to enable a proxy service on security gateways and edit the default port (8080) to match our legacy environment, application control doesn’t work due to them being written only to match on direct connections (tcp:80 and tcp:443) and HTTP and HTTPS proxy connections on tcp:8080.</P><P style="padding-left: 30px;">&nbsp;</P><P style="padding-left: 30px;"><SPAN style="font-size: 11.0pt;">We subsequently have to leave the security gateway proxy port configured as 8080 and wanted to create a NAT rule to redirect inbound connections towards the security gateway on 3128 to 8080.</SPAN></P><P></P><P></P><P><SPAN style="font-size: 11.0pt;">What we did:</SPAN></P><UL><LI><SPAN style="font-size: 11.0pt;">Created a NAT rule:</SPAN></LI></UL><P style="padding-left: 60px;"><SPAN style="font-size: 11.0pt;"><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/70796_nat_rule.jpg" /></SPAN></P><UL><LI><SPAN style="font-size: 11.0pt;">Testing:</SPAN></LI></UL><P style="padding-left: 60px;"><SPAN style="font-size: 12px; font-family: 'courier new', courier, monospace;"><SPAN style="color: #808080;">[davidh@zajnb01-kvm2c&nbsp;~]#</SPAN> telnet cache.lair.co.za 8080<BR />Trying 100.127.254.1...<BR /><SPAN style="color: #008000;">Connected</SPAN> to cache.lair.co.za (100.127.254.1).<BR />Escape character is '^]'.<BR /></SPAN></P><P style="padding-left: 60px;"><SPAN style="font-size: 12px; font-family: 'courier new', courier, monospace;"><SPAN style="color: #808080;">[</SPAN><SPAN style="color: #808080;">davidh@zajnb01-kvm2c</SPAN><SPAN style="color: #808080;">&nbsp;~]#</SPAN> telnet cache.lair.co.za 3128<BR />Trying 100.127.254.1...<BR />telnet: connect to address 100.127.254.1: <SPAN style="color: #ff6600;">Connection refused</SPAN><BR /></SPAN></P><P></P><P></P><P><SPAN style="font-size: 11.0pt;">Are there restrictions on NAT policies that I'm perhaps unaware of?</SPAN></P></BODY></HTML> Fri, 21 Sep 2018 12:57:38 GMT David_Herselman 2018-09-21T12:57:38Z https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28618#M5838 <HTML><HEAD></HEAD><BODY><P>We don't appear to be able to get a NAT rule to apply on traffic on an internal interface of a Gaia security gateway.</P><P></P><P>Background:</P><P style="padding-left: 30px;">We have been using Squid proxies for over 20 years and have a variety of systems and deployment tools that have the proxy hard coded (cache.lair.co.za:3128). Whilst it is possible to enable a proxy service on security gateways and edit the default port (8080) to match our legacy environment, application control doesn’t work due to them being written only to match on direct connections (tcp:80 and tcp:443) and HTTP and HTTPS proxy connections on tcp:8080.</P><P style="padding-left: 30px;">&nbsp;</P><P style="padding-left: 30px;"><SPAN style="font-size: 11.0pt;">We subsequently have to leave the security gateway proxy port configured as 8080 and wanted to create a NAT rule to redirect inbound connections towards the security gateway on 3128 to 8080.</SPAN></P><P></P><P></P><P><SPAN style="font-size: 11.0pt;">What we did:</SPAN></P><UL><LI><SPAN style="font-size: 11.0pt;">Created a NAT rule:</SPAN></LI></UL><P style="padding-left: 60px;"><SPAN style="font-size: 11.0pt;"><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/70796_nat_rule.jpg" /></SPAN></P><UL><LI><SPAN style="font-size: 11.0pt;">Testing:</SPAN></LI></UL><P style="padding-left: 60px;"><SPAN style="font-size: 12px; font-family: 'courier new', courier, monospace;"><SPAN style="color: #808080;">[davidh@zajnb01-kvm2c&nbsp;~]#</SPAN> telnet cache.lair.co.za 8080<BR />Trying 100.127.254.1...<BR /><SPAN style="color: #008000;">Connected</SPAN> to cache.lair.co.za (100.127.254.1).<BR />Escape character is '^]'.<BR /></SPAN></P><P style="padding-left: 60px;"><SPAN style="font-size: 12px; font-family: 'courier new', courier, monospace;"><SPAN style="color: #808080;">[</SPAN><SPAN style="color: #808080;">davidh@zajnb01-kvm2c</SPAN><SPAN style="color: #808080;">&nbsp;~]#</SPAN> telnet cache.lair.co.za 3128<BR />Trying 100.127.254.1...<BR />telnet: connect to address 100.127.254.1: <SPAN style="color: #ff6600;">Connection refused</SPAN><BR /></SPAN></P><P></P><P></P><P><SPAN style="font-size: 11.0pt;">Are there restrictions on NAT policies that I'm perhaps unaware of?</SPAN></P></BODY></HTML> Fri, 21 Sep 2018 12:57:38 GMT https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28618#M5838 David_Herselman 2018-09-21T12:57:38Z https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28619#M5839 <HTML><HEAD></HEAD><BODY><P>You are not traversing the firewall. You are trying to connect to it on a different port to begin with.</P></BODY></HTML> Fri, 21 Sep 2018 13:23:53 GMT https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28619#M5839 Vladimir 2018-09-21T13:23:53Z https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28620#M5840 <HTML><HEAD></HEAD><BODY><P>Hi Vladimir,</P><P></P><P>Thanks, I'll NAT the connection before it reaches the Check Point then...</P></BODY></HTML> Fri, 21 Sep 2018 15:30:06 GMT https://community.checkpoint.com/t5/General-Topics/NAT-policy-rules-for-internal-interfaces/m-p/28620#M5840 David_Herselman 2018-09-21T15:30:06Z