This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adam_Sztymelski
Participant
‎2019-02-03 10:41 AM
Jump to solution

PAT/NAT to routed subnet?

Hi firewall masters!

I need your help with nat, port forward or whatsoever to confirm (or deny) my idea to grant access to my webserver from Internet.

We have /24 of public IP's, cutted on CP firewall. Some of them are used by network equipment, let say /29, and some of them by servers in DMZ, LAN, where ever was needed.

We have also few branches connected through sd-wan.

Subnet 172.16.0.0/24 is reachable by static route, its not directly connected.

And now i need to make visible in internet one server from that branch.

Is it possible to do this on CP by NAT, ARP policies?

When i did manual NAT, webserver 1.1.1.100:80 is reachable but only in LAN, never from outside.

Many thanks for your help, ideas how to achieve this.

Cheers!

#nat

#routing

#arp

#proxy

0 Kudos
1 Solution

Accepted Solutions
Michal_Gans
Contributor
Contributor
‎2019-02-06 05:21 AM
Jump to solution

I think that easiest solution will be NAT 

srcdstservicenat srcnat dstnat service
internet1.1.1.100801.1.1.1 hide172.16.0.2original

But you lose information about source in web server logs.

View solution in original post

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2019-02-03 03:07 PM
Jump to solution

If you are using manual NAT for an object, you have to resort to manual proxy ARP entries in Gaia.

If you are using static NAT to some local dummy IP, you can then use NAT rules to forward this traffic to its destination, so long as the routing is in place and the security policy permits it.

Adam_Sztymelski
Participant
‎2019-02-05 01:32 PM
In response to Vladimir
Jump to solution

Tried both with no success, apparently Im doing something wrong.

Can you give me some examples?

0 Kudos
Vladimir
Champion
Champion
‎2019-02-05 06:02 PM
In response to Adam_Sztymelski
Jump to solution

Sorry, I am at CPX now and will not be by my lab for a few days yet.

0 Kudos
Michal_Gans
Contributor
Contributor
‎2019-02-06 05:21 AM
Jump to solution

I think that easiest solution will be NAT 

srcdstservicenat srcnat dstnat service
internet1.1.1.100801.1.1.1 hide172.16.0.2original

But you lose information about source in web server logs.

0 Kudos
Adam_Sztymelski
Participant
‎2019-02-06 09:39 AM
In response to Michal_Gans
Jump to solution

Michal, this is it!

Many thanks!

Where i need to send you bitcoins?

Oh, no, they useless at this moment.

I can propose good real beer in Poland or in Czech.

Cheers!

PS. I used of course 1.1.1.3 (my active CP) not 1.1.1.1 in nat src. I understand it was just a typo. Just for those who they will looking for same solution.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events