This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dede79
Contributor
‎2023-02-01 05:44 AM
Jump to solution

ISP Redundancy - NAT

Hello,

as tested outbound traffic hide-nat works with ISP redundancy (act/standby)  when selecting hide behind gateway in the network object. Solution should be sk25152.

Is there an option to do so with dynamic objects? Most customers use manual nat with groups in source column.

I tested in lab with 2 dynamic objects:

[Expert@ISPgw01:0]# dynamic_objects -l

object name : DYN_ISP_A
range 0 : 0.0.0.0 255.255.255.255

object name : DYN_ISP_B
range 0 : 0.0.0.0 255.255.255.255

Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

created the same objects in dashboard and made 2 nat rules:

isp-hnat.jpg

 

If ISP A fails default route is switched to ISP B but the still the public hidenat IP of ISP A is used - Rule 5 always matches.

Version R81.10

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-02-01 07:53 AM
Jump to solution

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

9 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-02-01 07:53 AM
Jump to solution

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
dede79
Contributor
‎2023-02-02 02:21 AM
In response to G_W_Albrecht
Jump to solution

OK, I think I skipped the "add" in the sk - now it works - manual HNAT  Rules...manual SNAT in/out for the DMZ Servers - great!

0 Kudos
Jones
Collaborator
Collaborator
‎2023-09-28 05:37 AM
In response to G_W_Albrecht
Jump to solution

Hi,

sk25152 describes a script for two ISP's in a loadsharing solution. From R81.10 more then two ISP's are supported. So what about a High Available solution with three ISP's, that should also be possible. What lines in the cpisp_update are then needed for this solution?

Grtz Jones

0 Kudos
Jones
Collaborator
Collaborator
‎2023-10-19 12:18 AM
In response to Jones
Jump to solution

I got a reply from Check Point support. They updates sk25152 and gave me the cpisp_update lines for 3 ISP's that I added it in this post. Don't forget to add two extra lines on the CLI:

dynamic_objects -n DYN_ISP_C
dynamic_objects -o DYN_ISP_C -r 0.0.0.0 0.0.0.0 -a

ISP Redundancy - 3 ISP.txt
0 Kudos
dede79
Contributor
‎2024-02-22 05:22 AM
In response to G_W_Albrecht
Jump to solution

Just have same config with R81.20 but not working...

Do the dynamic-objects / object names in the script MUST be exactly "DYN_ISP_A" and so on or can I use other names like "DYN_ISP_COLT"....?

Regardinf ISP Red in loadsharing and sk25152- there is still mentioned that the solution is only for HA. So there the only option is hide-behind-gateway ?

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-02-01 09:11 AM
Jump to solution

  • @dede79 What do you want to achieve?  The „hide behind gateway“ setting is the solution for outgoing connections and ISP redundancy. You don‘t wrote what‘s your problem. You wrote „ Solution should be sk25152“ but which problem?
0 Kudos
(1)
dede79
Contributor
‎2024-02-22 05:27 AM
In response to Wolfgang
Jump to solution

are you really able to hide everything behind gateway in you environments? No need to use specific IPs for NAT?

0 Kudos
dede79
Contributor
‎2024-03-05 01:58 AM
In response to dede79
Jump to solution

Update from TAC: sk25152 not supportet from R81.10 upwards. Supportet workaround would be using manual nat rules with zone in destination field.

0 Kudos
cyberfinder
Explorer
‎2024-06-12 02:13 PM
In response to dede79
Jump to solution

specific Ip hide NAT will work with ISP load sharing mode ? as i have tried seems like its not supported. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events