All, please assist with this.

I am about 90% there with my CloudGuard configuration and seem to be stuck at the last hurdle.

Here's what I have and I am sure it's something straight forward for one of the Gurus on here.

Internal network 10.99.1.0/24 - private

External network 10.99.0.0/24 - public

Checkpoint eth0 has primary and secondary IPs 10.99.0.230 & 10.99.0.235

each has an EIP (elastic IP address) associated with it.

Checkpoint has eth1 assigned single IP address 10.99.1.230 in private

Route tables are set:

Public 0.0.0.0/0 through the AWS Internet Gateway

Private 0.0.0.0/0 through eth1 of Checkpoint

I have Hide behind Gateway set as NAT for Checkpoint gateway object

I have a manual static NAT rule for an internal Host 10.99.1.x to NAT to a cloned host object with the secondary EIP (which is assigned to eth0 of checkpoint) set as the translate address.

I have an opposite rule for translate back from Public secondary IP to internal host set.

I have a policy rule which Accepts traffic from the secondary external IP address to Any.

When I delete the NAT rule I can access the internet from the internal host (NATed through the Gateway Public IP address).  With the Static NAT rule active it's not returning anything, although I see the traffic from the internal host hitting the firewall and an Accept entry in the Log - just nothing seems to come back.

What have I missed?

Best regards,

Roy.