Static Hide Behind Gateway NAT

Mike_Jensen

I have a scenario where I would like to create static hide behind gateway NAT rules (see screen shot) so internal networks are able to be NAT'ed to the gateway clusters external IP address.

I am using the cluster object in the translated source and a NAT does occur, the problem is the translated source being applied is the gateway clusters internal private RFC 1918 IP and not the external public IP.

Is there a way I can manipulate this to choose the translated destination IP I need?

I am trying to avoid creating a duplicate object.

Some more background on this - I have two data centers, each with a external cluster and internal cluster. I want certain internal networks to have hide behind gateway installed on both datacenter's external gateways but not on the internal gateways. With object NAT I can only choose one gateway cluster or all.

If there is a way to install the hide behind on two clusters and not all that would be ideal.

the_rock

I would say if you want everything behind the gw natted to external IP, then choose option in 1st screenshot. If you want only specific networks, then you can opt out for 2nd one.

Andy

Mike_Jensen

I tried the "Hide Internal networks behind the Gateway's external IP" like you have in the 1st screen shot but it doesn't work.

On page 70 of the R81.20 ClusterXL Administration Guide "The option Hide internal networks behind the Gateway's external IP (in the ClusterXL object properties > NAT pane) is not supported."

This is in the Active-Active Mode in ClusterXL, I am active/standby, but I am left with the impression this option isn't supported either way in R81.20 since it won't work for me.

In your second screen shot - is there a way I can have the object NAT installed on only 2 gateway cluster and not all?

the_rock

Option 2 has to be supported, I have customers who use it on load sharing or HA cluster. Why would 1st one not work? What do you see in the captures?

Andy

Mike_Jensen

Option 1 flat out doesn't do anything. The log cards don't show any NAT being performed on the internet traffic.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/CP_R81....

Take a look at page 70.

the_rock

I just did, right. As far as option 1, well, if it fails, do some tcpdumps and fw monitors and see what gives. It works, for sure.

Also, make sure what I attached is checked.

Andy

the_rock

K, I see what you meant, shows active-active, but active standby it works 100%.

emmap

Manual NAT rules exist per policy, so you can add one for each gateway in their respective policies. If the gateways are sharing the policy, use the 'install on' field to set a NAT rule per gateway.

The NAT behaviour for your rule there will hide the traffic behind the interface VIP that the traffic egresses the gateway on. If you want it to hide behind a specific IP regardless of egress interface, replace the gateway object on the 'translated source' side with a host object reflecting that IP.

Mike_Jensen

In my scenario with the rule with the gateway cluster object the translated source is taking the IP that the traffic ingresses the gateway on and not the interface it egresses to the internet.

If I create a host object for the IP of a cluster VIP will that cause issues like a duplicate object will, since the cluster object includes all IP's of the cluster?

PhoneBoy

Duplicate objects for the same IP are allowed, though we display a warning.
For gateways/clusters, as long as the "duplicate" is a host object, you should be fine.

emmap

It shouldn't talk the ingress VIP, there's something curious going on there.

But yea, as Phoneboy said, no harm in setting a host object with a cluster VIP for this.

the_rock

I agree there, does not hurt to try.

Are you a member of CheckMates?

Static Hide Behind Gateway NAT