This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2018-03-09 07:35 AM
Jump to solution

Inbound Hide NAT

Hi,

I am trying to configure a policy to allow inbound access from the Internet to an internal server. I can create a NAT for the server so that the server is known by a public IP Address, but I have a problem with the return traffic.

I need to translate the public Source IP address of the connection to a internal IP address. So a "Hide NAT" for inbound connections.

Is this possible? As I am failing to find any instructions for configuring this.

We are running R80.10 on management and security gateways.

Many thanks,

Michael

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-03-09 12:51 PM
Jump to solution

Of course it is.

The main issue is that the "Source" for the rule can't be "Any".

You also can't use negation in the NAT rulebase either.

To achieve the desired result, you'll need two rules:

The first rule ensures the internal networks are NOT translated when they connect to the IP address (in this case, AR70).

"Protected Networks" is a group I created with my internal networks.

The second rule says "anyone connecting to AR70 with appear as if it's coming from foo and going to e7".

"All_Internet" should be a preexisting object.

After you add the object to the Translated Source, you will need to need to right-click on it and change the NAT Method to Hide.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2018-03-09 12:51 PM
Jump to solution

Of course it is.

The main issue is that the "Source" for the rule can't be "Any".

You also can't use negation in the NAT rulebase either.

To achieve the desired result, you'll need two rules:

The first rule ensures the internal networks are NOT translated when they connect to the IP address (in this case, AR70).

"Protected Networks" is a group I created with my internal networks.

The second rule says "anyone connecting to AR70 with appear as if it's coming from foo and going to e7".

"All_Internet" should be a preexisting object.

After you add the object to the Translated Source, you will need to need to right-click on it and change the NAT Method to Hide.

Michael_Horne
Advisor
‎2018-03-12 02:07 AM
In response to PhoneBoy
Jump to solution

HI,

Thanks for this confirmation.  With the All_Internet object (which just seems to be another way of saying any) I got it working, My main block point was not knowing that I had to right click on the "Translated source" in the NAT policy to change it from a Static NAT to a Hide NAT.

Many thanks,

Michael

Haichao_Xie
Employee Alumnus
Employee Alumnus
‎2018-11-17 07:20 PM
In response to PhoneBoy
Jump to solution

Awesome!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events