This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
upendras
Participant
‎2020-02-19 04:56 AM
Jump to solution

STATIC NAT in Azure Checkpoint

How to configure Static NAT (Bi-directional)  and Outbound NAT (Source NAT) in Azure Checkpoint.

 

I have 3 VMs and want to send outbound traffic towards internet each with unique public IP. how can we configure such type of NAT in Azure checkpoint point.

 

Thanks

Upen

0 Kudos
1 Solution

Accepted Solutions
Matthias_Haas
Advisor
‎2020-02-19 01:29 PM
Jump to solution

Hi Upen,

are  you using a Single Gateway ?

In this case you could use additional public/private IPs on the external Interface (eth0) of the FW:

 

interface.png

and do the Source NAT for each vm on the FW  (to the Private IP, Azure in return is then NATing to the Public IP)

 

NAT.png

At least a outbound NAT is possible in this case.

 

Matthias

View solution in original post

0 Kudos
24 Replies
Matthias_Haas
Advisor
‎2020-02-19 01:29 PM
Jump to solution

Hi Upen,

are  you using a Single Gateway ?

In this case you could use additional public/private IPs on the external Interface (eth0) of the FW:

 

interface.png

and do the Source NAT for each vm on the FW  (to the Private IP, Azure in return is then NATing to the Public IP)

 

NAT.png

At least a outbound NAT is possible in this case.

 

Matthias

0 Kudos
upendras
Participant
‎2020-02-19 11:10 PM
In response to Matthias_Haas
Jump to solution

I have cluster in Azure.. and want to outbound NAT like VM private IP 10.1.1.1 go to Internet, it will be NATTed with 1.1.1.1

 

please help me suggest how can I achieve this...

 

Thanks

Upen

 

yunier88
Participant
‎2021-08-27 12:15 PM
In response to upendras
Jump to solution

Hello there,
In my case I need to know how to add a new public IP in my FW to be used by my prod Vnet in outbond. Currently all my VNETS (backend) when they go to the internet use the same public IP. But in my environment I need the Prod VNET to use a different public IP than the rest of the other Vnets. Somebody could help me? Thanks

Nir_Shamir
Employee Employee
Employee
‎2021-08-29 12:01 AM
In response to yunier88
Jump to solution

Hi,

I know that if you remove the Public IPs from the instances themselves (not the VIP) then the GWs will go out via the Frontend LB and then you can create an Outbound NAT rules on the Frontend LB with a different PIP which is allocated on the Frontend LB

0 Kudos
yunier88
Participant
‎2021-09-01 10:34 AM
In response to Nir_Shamir
Jump to solution

Hello there,

Do you have an example of the necessary rules to create in the Firewall and in the Load Balancer?

 

Thanks

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-09-02 05:03 AM
In response to yunier88
Jump to solution

usually the frontend-lb is created with an example rule you can copy. the Firewall NAT rules can be seen our admin guide:

 

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

 

0 Kudos
yunier88
Participant
‎2021-09-02 08:47 AM
In response to Nir_Shamir
Jump to solution

Just to be sure, this information that you share with me is for outbond traffic. Since in my case I already managed to carry out inbound traffic with an LB. Thanks

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-09-05 12:58 AM
In response to yunier88
Jump to solution

no, that's for Inbound traffic.

For outbound you need to create outbound NAT rules on the Fronend-LB.

0 Kudos
yunier88
Participant
‎2021-09-08 08:31 AM
In response to Nir_Shamir
Jump to solution

Hello there,

Do you know where I can find some configuration example?

Thanks

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-09-09 01:09 AM
In response to yunier88
Jump to solution

I don't know if there are examples some where but the procedure is like this:

1) remove the PIPs from the Cluster members.

2) add a NAT rule which hides you specific traffic behind the cluster members external IP (Dynamic object named 'LocalGatewayExternal'

3) create an Outbound rule on the Frontend-LB behind a specific Frontend PIP for your specific traffic. 

 

all the traffic that equals to that rule will be hidden behind the Frontend-LB PIP and not the Cluster VIP.

0 Kudos
yunier88
Participant
‎2021-09-09 07:15 AM
In response to Nir_Shamir
Jump to solution

Hello there,

In my case it is a single gateway. The procediment will be the same?

On the other hand when you say: 1) remove the PIPs from the Cluster members.
In my case I cannot delete my only public IP from the Gateway, it is used for S2S and P2S VPN connection. Please can you explain in more detail?

Thanks

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-09-11 11:56 PM
In response to yunier88
Jump to solution

On a single gateway it's much more easier.

you can add a secondary private IP on the external interface of the Gateway (usually eth0) and attach to it a new PIP.

then in the rule base you do Source-NAT on your specific server and hide it behind the new Private IP you added.

From there it will be hidden behind the new PIP. 

yunier88
Participant
‎2021-09-14 12:40 PM
In response to Nir_Shamir
Jump to solution

Thanks, I'll try that solution

0 Kudos
Danimax007
Explorer
‎2024-07-16 06:44 AM
In response to Nir_Shamir
Jump to solution

Hello Nir,

If we remove the PIP assigned to each cluster member, how do we connect to the individual cluster members through ssh and https when they are managed from the external interface.

Is this the only solution for cluster cloudguard setup?

Looking forward to your feedback.

0 Kudos
bmomartins
Participant
‎2020-05-13 09:54 AM
In response to Matthias_Haas
Jump to solution

Hello @Matthias_Haas,

That will not work for an HA cluster, since that from Azure side you'll not be able to assign the same Public IP object to two different network interfaces.

How can we bypass this?

Cheers!

You may check my IT adventures under https://blog.bmartins.pt.
Nick_Mandafouni
Participant
‎2021-08-13 04:39 AM
In response to bmomartins
Jump to solution

Is there any resolution to this?  How do we fix this on an HA Cluster ?

Thanks

yunier88
Participant
‎2021-09-09 08:17 AM
In response to Matthias_Haas
Jump to solution

Hello there,

In this solution you provide. Is it necessary to change something in the routing of the FW? So that the main public IP (created by default) remains the IP for S2S and P2S VPN and Hide nat?

Thx

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-12 07:19 PM
In response to yunier88
Jump to solution

For VPN to work in this situation, you'll probably have to adjust the Link Selection setting in the relevant gateway object to use the public IP.

0 Kudos
yunier88
Participant
‎2021-09-14 12:41 PM
In response to PhoneBoy
Jump to solution

Hi,

Here I share a screenshot of my configuration in Link selection settings. Do you think the configuration is correct for the main public IP (created by default) remains the IP for S2S and P2S VPN and Hide nat? The ip you see in the screenshot 52xxxxxx is my main public IP.
Do you think that with this configuration there is no problem when I create other public IPs in the eth0 interface of my FW?

 

 


Thank you

Preview file
49 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-14 01:50 PM
In response to yunier88
Jump to solution

Yes this is how you’d configure it.

0 Kudos
AndyS
Explorer
‎2021-09-22 12:34 PM
In response to PhoneBoy
Jump to solution

A question regarding @yunier88 @PhoneBoy @Nir_Shamir , initial question; After adding an in Azure Portal Secondary Static Private IP with a Public IP, should the Network Interface panel in the WebUI browser; should we see an alias with its new Private IP and Public IP? Or do we need to manually add in the WebUI this Private and Public IPs?

Preview file
20 KB
0 Kudos
yunier88
Participant
‎2021-09-22 12:35 PM
In response to PhoneBoy
Jump to solution

Thanks so much!!

0 Kudos
yunier88
Participant
‎2021-09-22 12:47 PM
In response to PhoneBoy
Jump to solution

A question @PhoneBoy  @Nir_Shamir  regarding , initial question; After adding in Azure Portal a Secondary Static Private IP with a Public IP, should the Network Interface panel in the WebUI browser; should we see an alias with its Private IP and Public IP? Or do we need to manually add an alias to eth0 with a Public IP in the WebUI, generated in the Azure "IP configuration" of gaia NIC?
 
Thanks
Preview file
20 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-22 07:50 PM
In response to yunier88
Jump to solution

In general, this is not necessary, so long as you have the appropriate rules in place to deal with that specific IP.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events