Gaurav_Pandya
Advisor

Static NAT in Azure Checkpoint

Hi,

We have single checkpoint gateway installed in Azure environment. We want to do static NAT so that some IPs are publicly available but don't want to use gateway IP as a PAT.

I have attached one more IP to external interface of firewall which has public IP and followed steps given as below.

https://community.checkpoint.com/t5/CloudGuard-IaaS/STATIC-NAT-in-Azure-Checkpoint/td-p/75730

Done NAT configuration like below

Original source   Original Dest               Xlate source     Xlate Des

 Any                        172.17.1.8                   Any                    172.17.7.24 

Please note that 172.17.1.8 has public IP and this NATing will be taken care by Azure. when I am trying to test traffic from outside, I am getting proper logs but not able to connect end machine 172.17.7.24. Please see logs.

AzureLogs.JPG

Does anyone has any idea why it is not working. any setting is missing on firewall or azure side?

 

 

9 Replies
Vladimir
Champion
Champion

@Gaurav_Pandya , if you have set up only a unidirectional manual NAT rules, it'll result in the behavior you are describing. Disable that rule and change the NAT properties of the object to configure static NAT.

Vladimir

Gaurav_Pandya
Advisor

Hi Vladimir. 

Thanks for your response. I am doing manual NAT because I will map multiple IPs to public IP with different ports in future.

For testing purpose, I have done Object NAT as well but still it is not working. May be I am missing something on Azure side?

Vladimir
Champion
Champion

how is the NSG configured on the external side of the Check Point?

Gaurav_Pandya
Advisor

Hi All,

Issue is resolved. There was no firewall configuration issue. It is the Azure security group which is blocking traffic. 😊

Mitesh
Participant

Hi Gaurav,

Am facing same issue.

Can you tell me what configuration you did the Security Group.

Regards,

Mitesh

0 Kudos
Reply
Gaurav_Pandya
Advisor

Hi Mitesh,

You can define security group or ACL for each subnet in Azure, where you will define which source IP/subnet will access this subnet with particular port. So you need to open flow in security group or ACL as well.

0 Kudos
Reply
Mitesh
Participant

Hi Gaurav,

Thanks for the reply.

Just want to confirm, post assigning secondary interface to Checkpoint VM in Azure portal. Does we have attach secondary interface in Checkpoint topology as a external interface.

 

Regards,

Mitesh

0 Kudos
Reply
Gaurav_Pandya
Advisor

No. You do not need to add anything on Checkpoint except required NAT rule and policy.

Please note that we are using single gateway.

0 Kudos
Reply
Mitesh
Participant

Hi Gaurav,

Am new in Azure.

We have deployed Checkpoint in Standalone mode.

Recently we added secondary ip address to Checkpoint External Interface.

 Private IPPublic IP
Primary10.10.10.22.2.2.2
Secondary10.10.10.33.3.3.3

 

Internal Server IP = 10.10.20.100

Our Requirement:-

We want to do Static NAT using Secondary Public IP. For that we created NAT & Firewall Policy as below.

Nat Policy:-

Original SrcOriginal DstOriginal ServiceTranslated SrcTranslated DstTranslated Service
Any10.10.10.3AnyOriginal10.10.20.100Any
10.10.20.100AnyAny10.10.10.3OriginalAny

 

Firewall Policy:-

SourceDestinationServiceAction
Any3.3.3.3AnyAccept
10.10.10.3

 

Hope till now am on right track.

Can you tell me what configuration needs to be done in Azure side.

Regards,

Mitesh Nandu

0 Kudos
Reply