Create a Post
Showing results for 
Search instead for 
Did you mean: 

Apply NAT to subnet that is not physically configured on the gateway cluster

At the moment we have an external /24 subnet applied to the external interfaces of our checkpoint cluster, we use this subnet to do all of our NAT's for our DMZ's.
We are moving to a datacentre where they will not be able to supply us with a /24 subnet directly.
What they will do is provide us with a /28 "transit" subnet and then will provide us a larger "hosting" subnet behind this "transit" subnet.
I will apply IP's from the transit subnet to the gateways and to the vip of the gateways cluster, the datacentre will route to the "hosting" subnet via the vip of our gateways cluster transit IP.
I will then apply the NAT's for our DMZ to the "hosting" subnet on the checkpoints.
Is this a viable setup, I want to make sure this will work before we move to the datacentre as our maintenance window will be fairly small

2 Replies
Employee Employee

Yes this should work exactly as expected. 

In my view it's a better option since it doesn't require proxy-arp.

0 Kudos

Yea, I agree with Chris. I dont see why it would not, I dont see many people these days even having to do proxy-arp any more for destination NAT.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events