This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kristof_Vermael
Contributor
‎2018-11-26 01:36 AM

API - Add nat rule with Hide and Static method

Jump to solution

Hello all,

I'm trying to find out if it is possible to add a NAT rule with the API with Hide NAT for the source address, and a Static NAT for the destination. In the documentation, it is only possible to add one method, Hide, or static.

The use case : I have a group that needs to connect to a single IP, I need to Hide the source after 1 single IP and I need to translate the destination to 1 single IP.

It is possible in the GUI, but for my automation, I would need to create these rules with the API.

Any ideas ?

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-11-26 01:42 PM

Jump to solution

Just to clarify the method option in add nat-rule refers to what happens to the source address (hide or static).

If you specify a translated-destination, the only supported method is static and it should be the same size (host, network, or range) as the original- destination.

View solution in original post

6 Replies
Egor_Cherkasov
Contributor
‎2018-11-26 06:16 AM

Jump to solution

I've not completely understood your question, but I'll try to give you some information.

Hide NAT translates multiple source addresses to a one public address.

The destination adress always will be the one, because You connect to a public IP.

Even when you have 2 different LANs, which are connected with each other through the Internet. The destination adress will be permanent, because your IP packet has that destination.

Static NAT translates 1 to 1 (source to public) address.

In your case you definetely should use Hide NAT.

Regards.

0 Kudos
Kristof_Vermael
Contributor
‎2018-11-26 06:43 AM
In response to Egor_Cherkasov

Jump to solution

Hello,

Let me explain it with an example :

Orginal source : 10.0.0.0/24

Original destination : 10.100.1.1/32

translated source : 10.200.1.1/32

translated destination : 8.8.8.8/32

In my opinion, you are doing HIDE NAT for the source and STATIC NAT for the destination.

I have run a few a test with the API and although you can only define on method ( Hide or Static ) and seems R80.10 is somehow intelligent to know that this is for the source only. Translated Source is Hide in my policy, Translated Destination is Static in my policy.

This is what I've been looking for.

0 Kudos
Mike_A
Advisor
‎2018-11-26 07:36 AM
In response to Kristof_Vermael

Jump to solution

Kristof/Egor,

I just used the line below in my lab, source of translated packet is a HIDE and destination of translated is a STATIC. 

Please keep in mind this is through SmartConsole CLI, but you can modify to work with mgmt_cli as well. 

Note, in bold below you would replace with what your object names are. 

# add NAT

add nat-rule original-source net_10.0.0.0_b24 original-destination srv_10.100.1.1 translated-source srv_10.200.1.1 method hide translated-destination srv_8.8.8.8 package Mike position bottom

# screen shot

PhoneBoy
Admin
Admin
‎2018-11-26 01:42 PM

Jump to solution

Just to clarify the method option in add nat-rule refers to what happens to the source address (hide or static).

If you specify a translated-destination, the only supported method is static and it should be the same size (host, network, or range) as the original- destination.

Kristof_Vermael
Contributor
‎2018-11-27 12:19 AM
In response to PhoneBoy

Jump to solution

Hello Dameon,

In R77.30, it was however possible to see hide nat for destination nat when you change the NAT method.

I was a bit confused about this, but in R80.10, it all seems to work !

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-27 06:36 AM
In response to Kristof_Vermael

Jump to solution

Pretty sure that was a bug it even allowed that. Smiley Happy