Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TSOL
Advisor
Jump to solution

How to apply NAT to a Network Group

Hello Team,

 

We are planning to test a NAT configuration on R81.20.

If I set a Network Group as the source, the following error is displayed.

"The Network group is only valid if the value of the matching translated colum is 'Original' or if the translated source is 'HOST' /Address Range and the Method is Hide."

I want to configure NAT for a Network Group. In this case, do I need to set up Hide NAT for each individual object separately?

 

Thank you for all the advice.

0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Leader Leader
Leader

Hi @TSOL 

The easiest way to set up a NAT on a specific network, if you set it on the object itself:

Here:

2024-08-14 09_49_54-Network.png

I hope it helps 🙂

 

Á

----------------
\m/_(>_<)_\m/

View solution in original post

11 Replies
emmap
Employee
Employee

The network group is the Original Source? What did you set the Translated Source to? 

0 Kudos
TSOL
Advisor

Dear emmap

Thank you for the reply.

Yes,  I want to set the Network Group as the Original Source and translate it to the IP address of the Out-side interface as the post-NAT IP address.

0 Kudos
emmap
Employee
Employee

I believe that should work as long as you set the translated side to Hide NAT.

TSOL
Advisor

I mistakenly thought that I needed to add Hide NAT to the Network Group in the Original Source.

It turns out that I need to configure NAT for the object in the Translated Source instead.

Thanks!

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @TSOL 

What I told about NAT that is an easy way. If you want to do manual NAT instead, feel free, and do it, the two solution is fully equivalent.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Leader Leader
Leader

Hi @TSOL 

The easiest way to set up a NAT on a specific network, if you set it on the object itself:

Here:

2024-08-14 09_49_54-Network.png

I hope it helps 🙂

 

Á

----------------
\m/_(>_<)_\m/
TSOL
Advisor

Thank you for the reply.

Does the response differ from the behavior when configuring NAT for the Translated Source?

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @TSOL 

From the NAT point of view, this will act as a manual hide NAT. 

As you configure on the network object, you will see it in the NAT table, but you can edit the rule by editing the host object.

Akos 

----------------
\m/_(>_<)_\m/
0 Kudos
KBLITSEC
Explorer

In our scenario we cannot use the hide nat. There is a reason for it. I have  a different scenario. We have different third-party networks connected to our datacentre through checkpoint firewall. each third-party zone will have different network. While accessing the different third-party destination IP or vice-versa we use different NAT based on the zone. If I am adding object group in the original source, adding a /32 IP object in the original destination and and adding a /32 object in the translated source it is giving the same error like above user mentioned. This was working prior to GAIA R81. I have even rules now in my firewall in the similar way that i have stated above. But now in GAIA R81.10 it is not allowing the same similar way of adding the NAT. Can you please help me by providing some inputs  

0 Kudos
PhoneBoy
Admin
Admin

As far as I know, this behavior hasn't changed.
Please provide a precise example, possibly with screenshots (sensitive details can be redacted).

0 Kudos
PhoneBoy
Admin
Admin

The below answer came from our AI Copilot.
This is applicable if you want to use a manual NAT rule (versus using automatic NAT rules in the object):

The error you're encountering is expected when using static NAT, which translates only one address. To configure NAT for a Network Group, you should use the Hide NAT method. Here's how you can do it:

Steps to Configure Hide NAT for a Network Group

  1. Open SmartConsole and navigate to the NAT policy.
  2. Right-click on the translated source object in the NAT policy.
  3. Select NAT Method > Hide.
  4. Install the policy.

Important Considerations

  • Hide NAT allows multiple internal IP addresses to be translated to a single external IP address.
  • Be cautious when using Hide NAT for a large number of hosts, as it can lead to NAT Port Exhaustion. This happens when the number of connections exceeds the available NAT ports (50,000 ports per NAT pool).

Example Configuration

  1. Create a Network Group that includes all the networks or hosts you want to translate.
  2. Set the Network Group as the original source in the NAT rule.
  3. Set the translated source to a single IP address or an address range.
  4. Ensure the NAT method is set to Hide.

Example NAT Rule

No Original Source Original Destination Original Service Translated Source Translated Destination Translated Service Install On
1 Network Group Any Any Single IP/Range Original Original All

By following these steps, you can configure Hide NAT for a Network Group without setting up Hide NAT for each individual object separately. If you encounter any issues or need further assistance, feel free to ask!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events