https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33634#M7072 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply..</P><P></P><P>Since manual NAT is checked first, this would always be matched... Also I would like to use range of addresses instead of one</P></BODY></HTML> Sun, 07 Oct 2018 21:51:40 GMT Usman_Shaikh 2018-10-07T21:51:40Z https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33632#M7070 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.0pt; color: black;">Hi Experts</SPAN></P><P><SPAN style="font-size: 10.0pt; color: black;">&nbsp;</SPAN></P><P><SPAN style="font-size: 10.0pt; color: black;">We current have a manual hide NAT in place for our internet traffic that translates our internal addresses to a publicly routable address on the external interface (call it eth1) of the firewall when accessing ALL Non-RFC addresses</SPAN></P><P><SPAN style="font-size: 10.0pt; color: black;">&nbsp;We now have a requirement to set up NAT for Azure Microsoft peering that uses a different outgoing interface (eth2) on the same firewall that is on a different public subnet(Routing is already setup using BGP for MS prefixes to go out via eth2)<BR /></SPAN></P><P><SPAN style="font-size: 10.0pt; color: black;">Since the destination is this case is dynamic Microsoft domains only, I was thinking along the lines of using Domain objects in order to avoid creating (and then manage) individual network objects that represent Microsoft IP prefixes.. However domain objects can only be used in access policy rules and not in NAT rules; therefore I am looking for best possible way to achieve this&nbsp; </SPAN></P><P><SPAN style="font-size: 10.0pt; color: black;">(Additionally I would like to use a pool of translated addresses and not having to use just the interface address due to limittion of 65k sessions)</SPAN></P><P><SPAN style="font-size: 10.0pt; color: black;">Deployment: VSX on R80.10</SPAN></P><P></P><P><SPAN style="font-size: 10.0pt; color: black;">Desired rulebase</SPAN></P><TABLE class="j-table jiveBorder" height="114" style="border: 1px solid #c6c6c6; width: 763px;"><THEAD><TR style="background-color: #efefef;"><TH style="width: 111px;">Rule</TH><TH style="width: 123px;">Original Source</TH><TH style="width: 155px;">Original Destination</TH><TH style="width: 181px;"><P>Translated Source</P><P>(Example only)</P></TH><TH style="width: 135px;">Trasnlated Destination</TH></TR></THEAD><TBODY><TR><TD style="width: 111px;">Internet-Access</TD><TD style="width: 123px;">Internal-Networks</TD><TD style="width: 155px;">Any</TD><TD style="width: 181px;"><P>1.1.1.1</P><P>(IP on eth1 subnet)</P></TD><TD style="width: 135px;">Original</TD></TR><TR><TD style="width: 111px;">Azure-Access</TD><TD style="width: 123px;">Internal-Networks</TD><TD style="width: 155px;">&lt;<EM>Microsoft Domains</EM>&gt;</TD><TD style="width: 181px;"><P>2.2.2.1 - 2.2.2.10</P><P>(IP range on eth2 subnet)</P></TD><TD style="width: 135px;">Original</TD></TR></TBODY></TABLE></BODY></HTML> Sun, 07 Oct 2018 21:08:53 GMT https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33632#M7070 Usman_Shaikh 2018-10-07T21:08:53Z https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33633#M7071 <HTML><HEAD></HEAD><BODY><P>I think you need just to c<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk30557">onfigure automatic NAT</A> to use hide behind gateway setting instead of both manual NAT rules.</P></BODY></HTML> Sun, 07 Oct 2018 21:32:46 GMT https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33633#M7071 AlekseiShelepov 2018-10-07T21:32:46Z https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33634#M7072 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply..</P><P></P><P>Since manual NAT is checked first, this would always be matched... Also I would like to use range of addresses instead of one</P></BODY></HTML> Sun, 07 Oct 2018 21:51:40 GMT https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33634#M7072 Usman_Shaikh 2018-10-07T21:51:40Z https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33635#M7073 <HTML><HEAD></HEAD><BODY><P>If you are in position to upgrade to R80.20 then maybe you could use the new updateable objects, they have Azure as option</P><P></P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk131852" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk131852">Updatable Objects in R80.20</A>&nbsp;</P><P></P><P>I haven't played with them yet and don't know if they would work in NAT.</P><P></P><P>Else dynamic objects should do the trick, you just need to script Azure IP updates <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=skI1915" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=skI1915">Configuring Dynamic Objects</A>&nbsp;</P></BODY></HTML> Mon, 08 Oct 2018 07:16:44 GMT https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-NAT-policy/m-p/33635#M7073 Kaspars_Zibarts 2018-10-08T07:16:44Z