This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oscar_Medina1
Contributor
‎2018-05-10 07:20 AM

NAT Rules for multiple IP Addresses?

This may be a pipe-dream, but can I somehow create a NAT Rule and/or Policy to tell CP to protect a group of IP addresses instead of a single IP?  I've got a situation where my customer has multiple PIPs to protect, and I'd hate to create a NAT rule for each one.

I was thinking perhaps even connecting to Azure, then creating a NAT rule based on multiple Azure Objects/IPs?

Any insight is super appreciated Smiley Happy
Cheers,
Oscar

14 Replies
Dor_Marcovitch
Advisor
‎2018-05-10 08:45 AM

Please elaborate with example of what you want to acheive

0 Kudos
XavierBens
Employee
Employee
‎2018-05-10 09:01 AM

If I understand well, you would like to simply add more than one object on a NAT rule ?

If so, you've alright, we cannot do that; but: this object could be a group of objects... That's the solution I would propose.

BTW: that could be the What is your Check Point Idea of the Year? what do you think Dameon Welch Abernathy ? Smiley Happy

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Oscar_Medina1
Contributor
‎2018-05-10 10:12 AM
In response to XavierBens

Thank you Xavier, any chance you can provide an example of group of Objects which represent Public IPs?  The Original Services uses a Port, which is different for each IP.  

0 Kudos
XavierBens
Employee
Employee
‎2018-05-10 01:40 PM
In response to Oscar_Medina1

Hi Oscar, Vladimir Yakovlev proposed you what I thought

Regarding , you'll be able to look at available articles on Check Mates, like Video Link : 5568

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
Oscar_Medina1
Contributor
‎2018-05-10 01:48 PM
In response to XavierBens

Thank you Xavier Bensemhoun‌ . I have modified the #Ansible Playbook and running it on my local OS X.  I already enabled the API via the Mangement Server and tested login via Postman, all works.

Now I am just overcoming running the Playbook locally on OS X as it wants to SSH into localhost, and I enabled SSH.  But now get another error.  Figuring out what that actually is now...

I've used Ansible before but never forced it to SSH to local machine but rather remote machines like Linux and Windows via WinRM as well.

fatal: [127.0.0.1]: FAILED! => {
"changed": false,
"module_stderr": "/bin/sh: [path: command not found\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 127
}
to retry, use: --limit @/Users/sharepointoscar/Downloads/check_point_mgmt_v1.0.1/plays/cpmanagement/checkpointmanagement.retry
____________
< PLAY RECAP >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

127.0.0.1 : ok=0 changed=0 unreachable=0 failed=1

0 Kudos
XavierBens
Employee
Employee
‎2018-05-11 04:44 AM
In response to Oscar_Medina1

OK ; so at this point, you should create another "question" article in Developers (Code Hub) section so that everyone involved on using Ansible will be able to help you

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Oscar_Medina1
Contributor
‎2018-05-11 08:30 AM
In response to XavierBens

Thanks Xavier Bensemhoun‌ . I'll post on the other forum.  I got past this issue, but have others....

Vladimir
Champion
Champion
‎2018-05-10 10:17 AM

You mean something like this:

Oscar_Medina1
Contributor
‎2018-05-10 10:45 AM
In response to Vladimir

Thanks Vladimir - so here is a screenshot of my existing configuration.  Basically I have about 80 more PIPs to protect, right now each line protects a PIP since we have different Service/Port for a given protocol.

I don't see how I can avoid using the Service/Protocol if I were to group the PIPs?

0 Kudos
Vladimir
Champion
Champion
‎2018-05-10 11:54 AM
In response to Oscar_Medina1

OK. Let's see if I understand your environment setup:

1. You are probably using your public DNS to translate URLs to the IP of the gateway with high ports.

2. Inbound traffic to the high ports hitting gateway is then NATed to the static private IPs with standard ports and forwarded to the servers.

If this is the case, you can implement another device between gateway and your servers that will perform NAT and PAT. Something like F5 will do the trick, I believe.

This should allow you to use single static destination in a single rule with "Original Services" containing a group comprised of all custom HTTP HTTPS services you have defined for your hosts and "Translated Services" remaining "Original".

0 Kudos
Oscar_Medina1
Contributor
‎2018-05-10 01:49 PM
In response to Vladimir

Thank you Vladimir Yakovlev‌ we did not want to add yet another device for this scenario, hence why it would not work for us.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-10 11:09 AM

You're doing port translation for a specific destination IP, which will redirect to a different IP based on destination port.

Don't know of a way to do this without creating lots of rules, like you describe.

Oscar_Medina1
Contributor
‎2018-05-10 11:16 AM
In response to PhoneBoy

Thank you Dameon Welch Abernathy‌  My next approach will be to use Ansible to create a batch of Hosts, Rules and publish them Smiley Happy

0 Kudos
MrSaintz
Contributor
‎2018-05-15 07:37 AM

If the challenge is to deliver on a server farm you can setup a logical server, it's not the most advanced but will allow you to add more than one server to receive the at the same destination port/service.

If it's just trying to map several services on a single public IP and deliverer it to it's own different IP, on a per service bases, then I think it might be like Dameon says. I do have a question though.

If the "world" is going for a high-port on the gw IP, why are you forcing the redirect to a standard port like http? Why don't you put the listening http at the same port you published to outside world?, by simply assuming you MUST redirect destination port you are narrowing down your options by your self:

The above screenshot might has well be a group of high ports or what ever you need, just make the services on the server side match the original destination service and you are on with a bundle of ports in a single NAT rule.

Hope this helps

Carlos Santos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top