Hello @AaronCP  when I run tcpdump or fw monitor, I can't see the packet returns. The last information is the packet going out from gateway and don´t show nothing coming back.

If the gateway is NATing and routing the outbound traffic correctly, I would guess the upstream router isn't routing traffic for the .94 to your gateway.

If you run tcpdump -nnei eth0 host x.x.x.94 and arp on the gateway, do you see any arp requests for the .94 address?

@AaronCP I don't think it's a upstream issue, the arp request is happenig like can you see below:

And when the NAT is automatic the connection works, so I am pretty sure that this problem is something wrong on Check Point Gateways.

The upstream router is arp-ing the .94, but the gateway isn't responding to the arp request, so looks to be a proxy arp issue. Have you looked at SK30197? 

You may have to enable Merge manual proxy ARP configuration in Global Properties | NAT.

I see @the_rock beat me to this suggestion! 🙂

Its all good brother, you STILL owe me money from VPN route help I provided last time, but okay, I will wait patiently HAHA

Just kidding, always a pleasure to see you on here!

Hello @Sorin_Gogean ,

I have a /27 (30 IPs). I am not using the same IPs that are configured on interfaces to create this NAT. On interfaces I have .66, .67, and .68 to the VIP (currently, this is the IP used to out for the internet) and now I'm trying to use this little IP range for share these connections to the internet, like I showed on NAT rule above (.92, .93 and .94) .

What you saying is not applicable for my environment, but thank you for cooperate!

Hey @Bernardes ...just to make sure Im not mistaken when I say this, are you saying that IF you use .94 in manual nat rule as you indicated that fails, but say if you use SAME ip address to hide nat for specific subnet, then users dont have an issue accessing the Internet?

@the_rock exactly! If I set the .94(or any other IP from my range) in the network or host object, this NAT will be automaticly created and will works normally, but setting the manual rule, the user have no connection.

Gotcha! Ok, lets start with basics...can you send a screenshot of whats enabled under NAT in global properties? Also, when that rule is in place, what happens if you do zdebug when someone tries to connect? Does it give any drops at all?

Andy

The NAT global settings:

zdebug don't show any drop for this host

Can you check all options in global properties for nat except ip pool nat and push policy and test again? For zdebug, also add the service as well, so command you did, and then (space) | grep 443

You are welcome mate! Here comes my corny joke of the day, week, month, year that everyone is sick of hearing...for you, NO CHARGE, unless you use Iphone, and if you dont, then you get free coffe and a donut ; - )

But, in all seriousness, glad it worked...I apply this mentality to anything really. Sometimes, when you keep trying things and you hit a dead end, its always best thing to step back and start from basics, usually, that works 90% of the time in my experience.

Cheers and happy its solved and happy watching some great football games (or as our American friends would say soccer : - )

Have a good one!

Hey @Bernardes ,

Indeed, now I see that the screenshot it was for the ARP (making those IP to respond to external ICMP ) .

Have you tried without having them in ARP list, still it should not be any different.

Thank you,

PS: we have manual NATing done, with several IP's, some on the same network like the Checkpoint WAN side, and others from the Private DMZ and we didn't faced any issues.

Could it be that for IP Pool NAT you require that last checkbox ? (SK39327 )

@Bernardes Toadd to what @Sorin_Gogean said...I would delete those proxy arp entries, you dont need them there. Thats only for DESTINATION nat , you dont need it for source nat at all.