This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-07-11 05:21 AM

Explicit NAT HIDE in R80?

Untill R77.30 we used an object with IP address 0.0.0.0 to use in specific NAT rules to hide traffic behind the gateway. This works in my lab as with R80.10 but wether or not this is the best way to handle things is a bit unclear.

This is import as one may need create creative rules to handle multiple ISP lines either with or without ISP redundancy in place.

Has anyone worked out another solution that works in R80(.10)?

I have tested this with:

This works as I get another address on https://www.whatismyip.com/ when I enable the rule before my Static NAT that is used on this host.

I am aware of sk40637 (Using a "Hide behind IP address 0.0.0.0" as the translated source object) but I find the text rather ambigious. And sk119998 (Network object with network address 0.0.0.0 is not enforced) seems to indicate this might be a bug. Then there is sk25152 (Static NAT fails for outgoing connections through gateway with ISP Redundancy in Load Shari... but I am using a HIDE NAT. 

So it works but I unsure if this will be supported in future version.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
4 Replies
PhoneBoy
Admin
Admin
‎2018-07-11 05:57 AM

You realize there is also this option in SmartConsole, which does the same thing (except for all traffic):

My guess is we will continue to support this.

Duane_Toler
MVP Silver
MVP Silver
‎2018-07-11 08:50 AM

In addition to Dameon's post, if you want more specificity and irrespective if you have ISP redundancy (and just have multiple links), you can use policy routing applied to the inbound interface to direct traffic out an ISP link (and you can get creative with multiple match criteria on the PBR rule for the policy).  Then on the NAT rule, just use the "fw01 (Hide)" [following your screenshot example] as the translated source.  This will automatically translate the source IP to the firewall's outgoing interface address (whichever interface it is leaving, per the policy route).  You may not even need to have a specific NAT rule at this point; just rely on the NAT policy's natural flow, so long as the packet gets sent to the preferred outbound interface.  "Translate destination on client side" in Global Properties will be important, here, too.

I've done this for a customer who has ISP redundancy, but they wanted their "guest" network traffic to always flow out the secondary ISP link, irrespective of primary ISP link status; if the secondary ISP link was down, they didn't care that much [they are a small site and providing guest services was at most a convenience, and far from a priority for them].

Seems like a bit of work, but it'll be more deterministic and you won't have to rely on any odd trickery and "magic".

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
Matteo_Marzilia
Explorer
‎2018-12-04 03:50 AM

Duane Toler‌ May i ask you how did you managed the PBR with ISP redundancy?

I know that they are not compatible eachother, if ISP Redundancy is enebled PBR is bypassed, at least in 77.30.

I'd like to achieve the same scenario described in your previous comment and i think it could be useful for everyone who encouter this problem (and find this post)

Regards

Matteo

Duane_Toler
MVP Silver
MVP Silver
‎2018-12-04 07:20 AM
In response to Matteo_Marzilia

Hi Matteo!

Here's the configuration I have on the R77.30 gateway with ISP Redundancy and the PBR rule:

firewall> show configuration pbr

set pbr table GuestTraffic static-route default nexthop gateway address NNN.NNN.195.73 priority 1

set pbr rule priority 1 match interface bond0.192

set pbr rule priority 1 action table GuestTraffic

Interface bond0.192 is an LACP portchannel with VLAN 192 (of course).

Interface eth2 is the ISP interface where traffic from VLAN 192 is being routed:

set interface eth2 comments "Guest Internet"

set interface eth2 link-speed 1000M/full

set interface eth2 state on

set interface eth2 auto-negotiation on

set interface eth2 mtu 1500

set interface eth2 ipv4-address NNN.NNN.195.74 mask-length 30

firewall> show route destination NNN.NNN.195.72

Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)

A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,

U - Unreachable, i - Inactive

C NNN.NNN.195.72/30 is directly connected, eth2

Guest Internet

However, your comment prompted me take a closer look at my customer's configuration. I see one small thing that is different. My customer has 3 ISP links:

1) eth0 to the primary ISP

2) eth1 to the secondary ISP

3) eth2 to a 3rd ISP, but this is NOT part of the ISP link table

The third ISP link, eth2, is where I am using the PBR configuration, and the first two ISP links are in the ISP Redundancy link table.

I apologize for not being more clear in my previous post. I see now how this is different than what you may be seeking.

--

Duane Toler

dtoler@webfargo.com

Webfargo Data Security

www.webfargo.com

Proactive Security Solutions

Phone: 919.281.0175, Ext. 3312

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events