- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello all,
I'm trying to find out if it is possible to add a NAT rule with the API with Hide NAT for the source address, and a Static NAT for the destination. In the documentation, it is only possible to add one method, Hide, or static.
The use case : I have a group that needs to connect to a single IP, I need to Hide the source after 1 single IP and I need to translate the destination to 1 single IP.
It is possible in the GUI, but for my automation, I would need to create these rules with the API.
Any ideas ?
Just to clarify the method option in add nat-rule refers to what happens to the source address (hide or static).
If you specify a translated-destination, the only supported method is static and it should be the same size (host, network, or range) as the original- destination.
I've not completely understood your question, but I'll try to give you some information.
Hide NAT translates multiple source addresses to a one public address.
The destination adress always will be the one, because You connect to a public IP.
Even when you have 2 different LANs, which are connected with each other through the Internet. The destination adress will be permanent, because your IP packet has that destination.
Static NAT translates 1 to 1 (source to public) address.
In your case you definetely should use Hide NAT.
Regards.
Hello,
Let me explain it with an example :
Orginal source : 10.0.0.0/24
Original destination : 10.100.1.1/32
translated source : 10.200.1.1/32
translated destination : 8.8.8.8/32
In my opinion, you are doing HIDE NAT for the source and STATIC NAT for the destination.
I have run a few a test with the API and although you can only define on method ( Hide or Static ) and seems R80.10 is somehow intelligent to know that this is for the source only. Translated Source is Hide in my policy, Translated Destination is Static in my policy.
This is what I've been looking for.
Kristof/Egor,
I just used the line below in my lab, source of translated packet is a HIDE and destination of translated is a STATIC.
Please keep in mind this is through SmartConsole CLI, but you can modify to work with mgmt_cli as well.
Note, in bold below you would replace with what your object names are.
# add NAT
add nat-rule original-source net_10.0.0.0_b24 original-destination srv_10.100.1.1 translated-source srv_10.200.1.1 method hide translated-destination srv_8.8.8.8 package Mike position bottom
# screen shot
Just to clarify the method option in add nat-rule refers to what happens to the source address (hide or static).
If you specify a translated-destination, the only supported method is static and it should be the same size (host, network, or range) as the original- destination.
Hello Dameon,
In R77.30, it was however possible to see hide nat for destination nat when you change the NAT method.
I was a bit confused about this, but in R80.10, it all seems to work !
Pretty sure that was a bug it even allowed that.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY