cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Natting on a different subnet that is not configured on the gateway

Is it possible to do a loopback NAT on checkpoint like cisco devices where the natted subnets for the servers are of a completely subnet then the ip addresses used for public connections?

The external ip address on the device is a xx.xx.xx.xx/29 network and the subnet that is going to be used for natting are of xx.xx.xx.xx/25 network.

when i nat a server to the internet with an ip address of the same external subnet,everything is working fine as usual but when i nat it on the /25 subnet,i cant reach the gateway.

Is there a correct way to configure this and is this even possible on checkpoint gateways?

Tags (1)
4 Replies
Employee+
Employee+

Re: Natting on a different subnet that is not configured on the gateway

Yes the two approaches are possible, the former relies on proxy-arp the latter on routing.

Are the upstream devices routing the x.x.x.x/25 subnet towards the security gateway?

Re: Natting on a different subnet that is not configured on the gateway

Hi Chris,

The upstream devices has routed the /25 network to the gateways, but the external subnets of the gateways are of /29 network and the ip of the devices to be natted to the internet are of /25 subnet(publicIP).

I have looked into some of the sk and im not sure if the solution is to create manual NAT rules and configure proxy-arp on the cluster members.

0 Kudos
Employee+
Employee+

Re: Natting on a different subnet that is not configured on the gateway

To confirm are the /25 and /29 overlapping networks?

Manual NAT is one approach, proxy-arp shouldn't be required unless the NAT IP is from the same subnet as the external interface IP.

0 Kudos

Re: Natting on a different subnet that is not configured on the gateway

No the networks are not overlapping. Its been separated to different subnets. I tried manual nat and what i have noticed is that only the ip that is being manually natted can ping the nated public ip, others cant ping it.does this mean that the configuration is right? or is there a route issue on the router?

0 Kudos