This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gaurav_Pandya
Advisor
‎2020-03-28 12:12 AM

Static NAT in Azure Checkpoint

Hi,

We have single checkpoint gateway installed in Azure environment. We want to do static NAT so that some IPs are publicly available but don't want to use gateway IP as a PAT.

I have attached one more IP to external interface of firewall which has public IP and followed steps given as below.

https://community.checkpoint.com/t5/CloudGuard-IaaS/STATIC-NAT-in-Azure-Checkpoint/td-p/75730

Done NAT configuration like below

Original source   Original Dest               Xlate source     Xlate Des

 Any                        172.17.1.8                   Any                    172.17.7.24 

Please note that 172.17.1.8 has public IP and this NATing will be taken care by Azure. when I am trying to test traffic from outside, I am getting proper logs but not able to connect end machine 172.17.7.24. Please see logs.

AzureLogs.JPG

Does anyone has any idea why it is not working. any setting is missing on firewall or azure side?

 

 

9 Replies
Vladimir
Champion
Champion
‎2020-03-28 06:27 AM

@Gaurav_Pandya , if you have set up only a unidirectional manual NAT rules, it'll result in the behavior you are describing. Disable that rule and change the NAT properties of the object to configure static NAT.

Vladimir

Gaurav_Pandya
Advisor
‎2020-03-28 07:22 PM
In response to Vladimir

Hi Vladimir. 

Thanks for your response. I am doing manual NAT because I will map multiple IPs to public IP with different ports in future.

For testing purpose, I have done Object NAT as well but still it is not working. May be I am missing something on Azure side?

Vladimir
Champion
Champion
‎2020-03-28 07:27 PM
In response to Gaurav_Pandya

how is the NSG configured on the external side of the Check Point?

Gaurav_Pandya
Advisor
‎2020-03-30 06:15 AM
In response to Vladimir

Hi All,

Issue is resolved. There was no firewall configuration issue. It is the Azure security group which is blocking traffic. 😊

Mitesh
Participant
‎2020-04-21 04:39 AM
In response to Gaurav_Pandya

Hi Gaurav,

Am facing same issue.

Can you tell me what configuration you did the Security Group.

Regards,

Mitesh

0 Kudos
Gaurav_Pandya
Advisor
‎2020-04-21 04:50 AM
In response to Mitesh

Hi Mitesh,

You can define security group or ACL for each subnet in Azure, where you will define which source IP/subnet will access this subnet with particular port. So you need to open flow in security group or ACL as well.

0 Kudos
Mitesh
Participant
‎2020-04-21 05:55 AM
In response to Gaurav_Pandya

Hi Gaurav,

Thanks for the reply.

Just want to confirm, post assigning secondary interface to Checkpoint VM in Azure portal. Does we have attach secondary interface in Checkpoint topology as a external interface.

 

Regards,

Mitesh

0 Kudos
Gaurav_Pandya
Advisor
‎2020-04-21 09:20 PM
In response to Mitesh

No. You do not need to add anything on Checkpoint except required NAT rule and policy.

Please note that we are using single gateway.

0 Kudos
Mitesh
Participant
‎2020-04-21 10:19 PM
In response to Gaurav_Pandya

Hi Gaurav,

Am new in Azure.

We have deployed Checkpoint in Standalone mode.

Recently we added secondary ip address to Checkpoint External Interface.

 Private IPPublic IP
Primary10.10.10.22.2.2.2
Secondary10.10.10.33.3.3.3

 

Internal Server IP = 10.10.20.100

Our Requirement:-

We want to do Static NAT using Secondary Public IP. For that we created NAT & Firewall Policy as below.

Nat Policy:-

Original SrcOriginal DstOriginal ServiceTranslated SrcTranslated DstTranslated Service
Any10.10.10.3AnyOriginal10.10.20.100Any
10.10.20.100AnyAny10.10.10.3OriginalAny

 

Firewall Policy:-

SourceDestinationServiceAction
Any3.3.3.3AnyAccept
10.10.10.3

 

Hope till now am on right track.

Can you tell me what configuration needs to be done in Azure side.

Regards,

Mitesh Nandu

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events