Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Oscar_Medina1
Contributor

NAT Rules for multiple IP Addresses?

This may be a pipe-dream, but can I somehow create a NAT Rule and/or Policy to tell CP to protect a group of IP addresses instead of a single IP?  I've got a situation where my customer has multiple PIPs to protect, and I'd hate to create a NAT rule for each one.

I was thinking perhaps even connecting to Azure, then creating a NAT rule based on multiple Azure Objects/IPs?

Any insight is super appreciated Smiley Happy
Cheers,
Oscar

14 Replies
Dor_Marcovitch
Advisor

Please elaborate with example of what you want to acheive

0 Kudos
rhapirou
Employee
Employee

If I understand well, you would like to simply add more than one object on a NAT rule ?

If so, you've alright, we cannot do that; but: this object could be a group of objects... That's the solution I would propose.

BTW: that could be the What is your Check Point Idea of the Year? what do you think Dameon Welch Abernathy ? Smiley Happy

Cybersecurity Evangelist, CISSP, CCSA-CCAS-CCCS-CCTA
0 Kudos
Oscar_Medina1
Contributor

Thank you Xavier, any chance you can provide an example of group of Objects which represent Public IPs?  The Original Services uses a Port, which is different for each IP.  

0 Kudos
rhapirou
Employee
Employee

Hi Oscar, Vladimir Yakovlev proposed you what I thought

Regarding , you'll be able to look at available articles on Check Mates, like Video Link : 5568

Cybersecurity Evangelist, CISSP, CCSA-CCAS-CCCS-CCTA
Oscar_Medina1
Contributor

Thank you Xavier Bensemhoun‌ . I have modified the #Ansible Playbook and running it on my local OS X.  I already enabled the API via the Mangement Server and tested login via Postman, all works.

Now I am just overcoming running the Playbook locally on OS X as it wants to SSH into localhost, and I enabled SSH.  But now get another error.  Figuring out what that actually is now...

I've used Ansible before but never forced it to SSH to local machine but rather remote machines like Linux and Windows via WinRM as well.

fatal: [127.0.0.1]: FAILED! => {
"changed": false,
"module_stderr": "/bin/sh: [path: command not found\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 127
}
to retry, use: --limit @/Users/sharepointoscar/Downloads/check_point_mgmt_v1.0.1/plays/cpmanagement/checkpointmanagement.retry
____________
< PLAY RECAP >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

127.0.0.1 : ok=0 changed=0 unreachable=0 failed=1

0 Kudos
rhapirou
Employee
Employee

OK ; so at this point, you should create another "question" article in Developers (Code Hub) section so that everyone involved on using Ansible will be able to help you

Cybersecurity Evangelist, CISSP, CCSA-CCAS-CCCS-CCTA
0 Kudos
Oscar_Medina1
Contributor

Thanks Xavier Bensemhoun‌ . I'll post on the other forum.  I got past this issue, but have others....

Vladimir
Champion
Champion

You mean something like this:

Oscar_Medina1
Contributor

Thanks Vladimir - so here is a screenshot of my existing configuration.  Basically I have about 80 more PIPs to protect, right now each line protects a PIP since we have different Service/Port for a given protocol.

I don't see how I can avoid using the Service/Protocol if I were to group the PIPs?

0 Kudos
Vladimir
Champion
Champion

OK. Let's see if I understand your environment setup:

1. You are probably using your public DNS to translate URLs to the IP of the gateway with high ports.

2. Inbound traffic to the high ports hitting gateway is then NATed to the static private IPs with standard ports and forwarded to the servers.

If this is the case, you can implement another device between gateway and your servers that will perform NAT and PAT. Something like F5 will do the trick, I believe.

This should allow you to use single static destination in a single rule with "Original Services" containing a group comprised of all custom HTTP HTTPS services you have defined for your hosts and "Translated Services" remaining "Original".

0 Kudos
Oscar_Medina1
Contributor

Thank you Vladimir Yakovlev‌ we did not want to add yet another device for this scenario, hence why it would not work for us.

0 Kudos
PhoneBoy
Admin
Admin

You're doing port translation for a specific destination IP, which will redirect to a different IP based on destination port.

Don't know of a way to do this without creating lots of rules, like you describe.

Oscar_Medina1
Contributor

Thank you Dameon Welch Abernathy‌  My next approach will be to use Ansible to create a batch of Hosts, Rules and publish them Smiley Happy

0 Kudos
MrSaintz
Contributor

If the challenge is to deliver on a server farm you can setup a logical server, it's not the most advanced but will allow you to add more than one server to receive the at the same destination port/service.

If it's just trying to map several services on a single public IP and deliverer it to it's own different IP, on a per service bases, then I think it might be like Dameon says. I do have a question though.

If the "world" is going for a high-port on the gw IP, why are you forcing the redirect to a standard port like http? Why don't you put the listening http at the same port you published to outside world?, by simply assuming you MUST redirect destination port you are narrowing down your options by your self:

The above screenshot might has well be a group of high ports or what ever you need, just make the services on the server side match the original destination service and you are on with a bundle of ports in a single NAT rule.

Hope this helps

Carlos Santos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events