This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
1815375d-cbf2-4
Explorer
‎2018-11-23 01:18 AM

How to nat

Please bear with me. I have one ip in a dmz zone : 1.1.1.1 and another ip in the same dmz zone subnet : 1.1.1.2.

Both are public ip`s.

Ip 1.1.1.2 is actualy nat ip of a lan host 3.3.3.3

1.1.1.1 is unable to reach 1.1.1.2.

Operating system R77.30

Can you please  help with a example configuration?

0 Kudos
4 Replies
Gaurav_Pandya
Advisor
‎2018-11-23 08:55 AM

Hi,

Please explain more about DMZ Zone subnet. 

If you have defined DMZ zone subnet 1.1.1.0/24 then communication between 1.1.1.1 & 1.1.1.2 will not come to firewall. It should communicate directly.

You can use Manual NAT rules for granular configuration.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-23 10:05 AM

A network diagram with all the relevant hosts included would help,

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-24 02:10 PM

This has nothing to do with NATting, this is plain old fashioned routing that is bugging you.

When you try to access 1.1.1.2 from 1.1.1.1 it will just do an ARP to the network the host is in. Now when you use the network 1.1.1.x on a DMZ this means you have a route for it from the internet and you have no need for Proxy ARP and you can use manual NAT.

However in this case you will need to tell the FW that it needs to act as if it has IP 1.1.1.2 on it's DMZ interface, this is done by the aid of Proxy ARP in clish: 

  add arp proxy 1pv4-address 1.1.1.2 interface <DMZ>

At the spot of <DMZ> you fill the actual interface for network 1.1.1.x

Regards, Maarten
1815375d-cbf2-4
Explorer
‎2018-11-26 05:33 AM
In response to Maarten_Sjouw

Thank you for replying and for you answer. It has sense.

I have logged onto the firewall engine and i have put:

add arp proxy ipv4-address 1.1.1.2 interface ethX.

Waiting for the customer feedback to see if it is working now.

Thank you all for the support.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top