Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

NAT on DNS traffic on Check Point Firewall

Dear Mates

Our public DNSs were put behind our Firewall on the DMZ, and we are doing NAT with a Public IP in order to allow our customers to resolve externally. Unfortunately some requests were failing, hence the pages unavailable.
We are being pressured to assign a Public Ip directly in the interface of the DNS in order to avoid doing NAT which is something we do not wish to do.

Is there any way to solve this issue without stopping doing NAT?

Thanks in advance

0 Kudos
4 Replies
Highlighted

What is the reason for blaming the NAT?
What are your reasons to not want real IP's on a DMZ interface?
Regards, Maarten
0 Kudos
Highlighted
Silver

The isue is that our DNS anounces all of our internal domain names. and when it anounces the names, it uses the private IP configured on its interface instead of the public IP configured on the Firewall for NAT.

So when other authoritative DNS consults our names, it find a private IP instead of the public IP and the request does not work.

Any idea on how we can sort out this issue and keep the NAT?
We are using windows server 2016.

Thanks in Advance
0 Kudos
Highlighted
Admin
Admin

It is best practice to use separate DNS servers for internal and external resolving purposes.
That said we have a feature called DNS NAT that may help.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Highlighted
Gold

Looks like a very nice feature, I‘ve never heard about it. And it will be always a surprise to see what‘s possible 😉

Wolfgang
0 Kudos