Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

Destination NAT with ICMP

does anyone know why there is a limitation that i cannot choose the echo-request service on the NAT rule , and also in a group in the NAT policy.

only "any" will apply NAT to echo-request packets

thanks

4 Replies
HeikoAnkenbrand
Champion
Champion

That is partly correct. You can build a general NAT rule and limit it with the firewall rule.

For more infos to destination nat see article https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flo....

Regards

Heiko

PhoneBoy
Admin
Admin

The service column in the NAT rulebase can only take TCP/UDP services, of which ICMP is neither.

If you've properly restricted your access rulebase, this should not present a security issue.

Sairam123
Explorer

Thank you sir for sharing your views.

But, I would like to ask you, what if I have given manual NAT to http and telnet service and wanted to give NAT for only  ICMP?

Then how should I apply NAT on only ICMP service?

0 Kudos
patones1
Explorer

To avoid conflict, just add the NAT rule with the "any", at the end. As firewall rules, NAT rules are treated in a sequential way. So the Nat rules that forward the traffic to the http and/or telnet servers will keep working ok.
Just test the difference. Put the rule with "any" at the first line. Nothing will work for the http/telnet servers.
 Now put the Nat "any" rule at the end. Everything will keep working OK.
I agree the best solution would be allowing the use of icmp at the Nat manual rules.


0 Kudos