cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Duplicated static NAT ip address?! How is it even possible?

Hello.

Recently I have found something very strange (maybe even a bug).

On Gaia R80.10 kernel 2.6.18-92cpx86_64 build 462 in Smart Console I can have two different hosts with different IP addresses each having the same static NAT ip address. And - imagine - policy installs without any warning.

In previous releases (for example in R77.30) it was impossible - during host edit I had immediate warning about it when I tried erronously to assign static NAT ip address which was already used elsewhere (by another host) and I had to change it to something unique.

Please, can You check it out and deny or eventually confirm.

Regards

0 Kudos
3 Replies
Jerry
Gold

Re: Duplicated static NAT ip address?! How is it even possible?

this isn't a bug Mirek Smiley Happy

you can NAT statically from multiply internal hosts.

can you please explain why in your opinion this is wrong?

static does not mean 1-2-1 (one-to-one) and afaik it never did on check point

other than with cisco and other vendors sometimes with specific scenarious it does indeed means single ip with single NAT ip for outbound/inbound but that's why we've got somethnig called proxy-arp Smiley Happy

Jerry

Re: Duplicated static NAT ip address?! How is it even possible?

Mirek means Automatic static NAT, which does not make much sense as it will create 4 entries in the NAT rules, 2 inbound and 2 outbound, only the first of the 2 inbound will be allowed. So if it does no longer give a warning, when trying to assign a duplicate automatic static NAT, that is a shortcoming.

When I need to use a outbound NAT same as another host that already has a Automatic static NAT or an inbound that is only for a specific port, I would add those above the Automatic NAT section as manual NAT rules.

Regards, Maarten
Jerry
Gold

Re: Duplicated static NAT ip address?! How is it even possible?

fair enough, in that case you're correct. in a Dash this should not be allowed indeed Smiley Happy

Jerry
0 Kudos