This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dale_Lobb
Advisor
‎2020-07-27 03:38 PM

Manual Hide NAT behind Firewall interface

I have an interesting question: Has anyone ever had to implement a manual hide NAT rule to hide behind the leaving firewall interface?

I just tried it using a the firewall cluster object as the translated NAT source, but it always uses the external address of the firewall as the NATted source. even if the connection goes to a DMZ, which makes the connection in this case non-routable.

So, to make a long story short, I have a requirement to NAT a connection the the management interface of an east-west firewall (firewall A).  The access to the management network is through another firewall cluster (firewall B).  In general, I do not want to NAT internal connections to my management network, only just to firewall A, and that is solely to make the connection route correctly, as the default route for firewall A is through one of the east-west connections.  So, I tried to make a manual hide NAT rule in firewall B that would source NAT connections destined for firewall A's management interface behind Firewall B's management interface.  I did this using firewall B's gateway object in the rule.  However, as stated, the log of the connection shows the the external address of firewall B as the hide NAT, not the address of firewall B facing the management DMZ.

I can probably get the desired outcome by by defining another object to hide behind  with the either a specific unused address in the management net or even the management address of firewall B.

I'm curious if anyone else has ever had a similar need to create a manual hide NAT rule similar to how the automatic hide NATs work, where the connection gets NATted to the firewall interface by which it it leaves.  How would you resolve this?

My NAT rule is paraphrased in the attached JPG:

 
 

 

 

 

Preview file
36 KB
0 Kudos
2 Replies
MartinTzvetanov
Advisor
‎2020-07-28 01:50 AM

Just create a new object with the desired IP address and put it in the NAT rules. This is not a big deal, I believe this is a common situation when you have 2 clusters (internal and external fw), DMZ between them and more private networks behind the internal cluster.

0 Kudos
Dale_Lobb
Advisor
‎2020-07-30 09:22 AM
In response to MartinTzvetanov

That is exactly what I did, but it makes for a fixed hide NAT to the newly created object.  I was hoping to be able to create a manual hide NAT using the firewall object which would hide NAT the connection behind the firewall interface via which the packet left the firewall.  This way I could get by with one NAT rule as opposed to 10 NAT rules (one for each firewall interface).

The firewall does this with automatic hide NATs assigned to individual objects to be NATted.  They show up as one automatic NAT rule in the NAT policy.  Is there no way for an admin to do something similar?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events