This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dimitar139594
Explorer
‎2026-03-20 12:23 AM

NAT Help: How to NAT to "Remote" internal subnets (not directly connected) on a 2500 Appliance?

Hi everyone,

I’m running into a bit of a routing/NAT challenge on a Check Point 2500 Security Gateway (R82.00.05) and could use some collective wisdom.

The Scenario: I need to set up Static NAT for a few internal servers. Usually, this is straightforward when the servers are in a direct LAN segment. However, these specific servers live in a different building/VLAN that is routed to the Check Point via a core switch.

  • Checkpoint Internal IP: 10.0.1.1/24

  • Target Server IP: 192.168.50.10 (reachable via a static route/OSPF pointing to a core switch at 10.0.1.2)

  • Goal: Map a Public IP (1.1.1.10) to the Internal Server (192.168.50.10).

The Problem: When I configure the NAT rule and the Host object, the traffic seems to die at the gateway. I suspect the issue is related to Proxy ARP or the gateway not knowing how to handle the "non-local" destination for a NATed packet.

A few specific questions for the experts:

  1. Since the target IP isn't on a local interface, do I still need a manual Proxy ARP entry for the Public IP?

  2. Is there a specific setting in the NAT tab of the Host object (like "Install on Gateway") that I should be wary of in a routed environment?

  3. Do I need to create a "dummy" interface or use a specific Routing/NAT trick to make the 2500 realize it should forward that translated packet back to the core switch instead of looking for it on the local wire?

I’ve checked the logs in SmartConsole, and I see the hits, but no return traffic. Any advice on the "Check Point way" to handle NAT for remote internal subnets would be greatly appreciated

0 Kudos
4 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-20 01:18 AM

No to all of the above. How are you doing the NAT? You shouldn't have to adjust anything, really. Think of what the IP headers are on the packet pre- and post-NAT and make sure the routing across the rest of the network will send the return packet back to the gateway. 

0 Kudos
Dimitar139594
Explorer
‎2026-03-20 05:58 AM
In response to emmap

The outgoing traffic of the hosts on the remote networks is routed correctly - they have Internet access with "Hide internal networks behind the gateway's external IP address" enabled 

I have tried both with standard Server forwarding rules and manual NAT. Also added firewall rules to accept traffic from and to the remote networks. 

Traffic reaches the WAN interface but does is not sent out on the LAN interface. 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-22 08:32 PM
In response to Dimitar139594

In theory, if we are allowing inbound traffic from the internet here, all you should need here is a rule in the policy allowing access to the network host object for that server, then inside that host object configure your static NAT IP. 

0 Kudos
NikitaOstrovsky
Employee
Employee
‎2026-03-21 11:49 AM

Hi ,

I'm not sure what is a flow here but I definitely see possible problematic points that I would advise to check. First, you don't need to set any proxyARP if you do static NAT as you described (creating a host object and setting static NAT within). Your remote internal host must have the same flow of static NAT. Check that your rulebase is not dropping that connection. Finally, trace route or tcpdump can help you))) Good luck!! BTW, if this is always one way servers call, you can use hide NAT on origin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events