This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
johnnyringo
Advisor
‎2020-02-09 07:57 AM
Jump to solution

NAT rule hiding source IP of external address

Seems like a pretty basic question, but been searching for days and still haven't found an answer.

I simply want to Source Nat / "Hide" traffic from certain internet IP addresses coming in via the external network.  In this packet flow:

 

198.51.100.111 (Internet IP)  --->  203.0.113.222:8080 (Checkpoint External IP)  --->  10.10.10.111:80 Web server on internal network

 

The NAT Policy rule is written like so:

Source: All_Internet

Original destination: 203.0.111.222

Original Service: HTTP_proxy

Translated source: = Original

Translated destination: 10.10.10.111

Translated Services: http

Usually the web server would see the source IP 198.51.100.111 on traffic from internet.  I instead want it to see the Checkpoint's internal interface IP address of 10.10.10.1

What should be in the "Translated source" field for this to work?

3 Solutions

Accepted Solutions
Daniel_Schlifka
Contributor
‎2020-02-09 09:23 AM
Jump to solution

Hi,

just take the gateways interface from the objectslist.
There should be an entry named <yourgateway>_<interface-name>.
Select the interface which heads towards to http server.

View solution in original post

Daniel_Schlifka
Contributor
‎2020-02-10 09:13 AM
In response to johnnyringo
Jump to solution

GCP is slightly different story.
You need to create a dynamic host object for each gcp internal  lb ip. So one object for management vpc and additional one for your service-networks vpc. Than use the according object as translated source.

Please refer link below how to create dynamic objects.(Section Firewall and Natrules -> Create dynamic objects.)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_and_Above_CG_Autoscaling_Man...


additional reference:
sk121637
https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailabilty_for_G...

HtH

View solution in original post

0 Kudos
johnnyringo
Advisor
‎2020-02-19 11:25 AM
In response to johnnyringo
Jump to solution

I opened a case last week and the best solution they could provide was create local dynamic objects on each individual member with its internal IP address, i.e.

 

# On Cluster member-a

dynamic_objects -n LocalGateway-eth2 -r 10.10.10.2 10.10.10.2 -a

# On Cluster member-b

dynamic_objects -n LocalGateway-eth2 -r 10.10.10.3 10.10.10.3 -a

 

Then write a NAT rule with Translated Source = LocalGateway-eth2, NAT method = Hide

 

 

View solution in original post

0 Kudos
12 Replies
Daniel_Schlifka
Contributor
‎2020-02-09 09:23 AM
Jump to solution

Hi,

just take the gateways interface from the objectslist.
There should be an entry named <yourgateway>_<interface-name>.
Select the interface which heads towards to http server.

johnnyringo
Advisor
‎2020-02-09 09:57 AM
In response to Daniel_Schlifka
Jump to solution

Thank you for the response.

In SmartConsole, the gateway is called 'gateway1', with External interface eth0 and Internal interface eth1.

There is indeed object called gateway1_eth1, but it's a network group that lists the RFC 1918 blocks:

  • 10.0.0.0/255.0.0.0
  • 172.16.0.0/255.240.0.0
  • 192.168.0.0/255.255.0.0

I certainly do not remember creating this, so assume it was auto-discovered by looking at static routes during the import process.

The object with the internal IP was simply called "gateway1" which makes sense.  This gateway is deployed in AWS so eth1 is the management interface (I think CheckPoint calls this the "main" interface).  

I've set that as the translated source, verified NAT method was set to "hide", and it's doing exactly what I want.  The web server is receiving traffic from 10.10.10.1 now

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-02-09 10:19 AM
In response to johnnyringo
Jump to solution

You will need to create your own Host with the internal IP and called it something like Internal_FW and give it the internal IP of your gateway.
Regards, Maarten
0 Kudos
johnnyringo
Advisor
‎2020-02-09 11:08 AM
In response to Maarten_Sjouw
Jump to solution

How would this work in a cluster scenario where the two members share an external IP address, but the internal IP addresses are standalone?

Reason I ask is for the next step I have to get this configuration working on a cluster deployed in GCP.  There's a dynamic object called LocalGatewayExternal which automatically references the external interface, but I can't find a corresponding one for the internal interface.  

Maarten_Sjouw
Champion
Champion
‎2020-02-09 01:28 PM
In response to johnnyringo
Jump to solution

All your traffic handling cluster interfaces should have a VIP, so you would never run into an issue where this could happen.
Regards, Maarten
johnnyringo
Advisor
‎2020-02-10 06:57 AM
In response to Maarten_Sjouw
Jump to solution

There is no such thing as a VIP in public cloud deployments.  High Availability is handled by mapping the external IP address to the external NIC of the active cluster member, and pointing the default route to the internal NIC of the active.  Failover is then handled via API call

 

The guide, which I'm attaching, mentions creating a dynamic object called LocalGatewayExternal which represents the external NIC.  On a guess, I created a Dynamic Object called LocalGatewayInternal and that seems to represent the main (management) interface of the local gateway.  This works in our case because the management and internal networks are peered, but ideally I'd really like the internal interface to be used.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-02-10 08:06 AM
In response to johnnyringo
Jump to solution

If you are relying on external factors to make the decision which device is taking the load, then I would not create a cluster object but just 2 gateways. That way you can much easier set NAT in and out bound to the correct hide address.
Regards, Maarten
0 Kudos
johnnyringo
Advisor
‎2020-02-10 08:29 AM
In response to Maarten_Sjouw
Jump to solution

We're using the Checkpoints to terminate site-to-site VPNs to customers, so doing standalone w/ load balancer is not an option.  We need an HA deployment.  

Daniel_Schlifka
Contributor
‎2020-02-10 09:13 AM
In response to johnnyringo
Jump to solution

GCP is slightly different story.
You need to create a dynamic host object for each gcp internal  lb ip. So one object for management vpc and additional one for your service-networks vpc. Than use the according object as translated source.

Please refer link below how to create dynamic objects.(Section Firewall and Natrules -> Create dynamic objects.)

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_and_Above_CG_Autoscaling_Man...


additional reference:
sk121637
https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailabilty_for_G...

HtH

0 Kudos
johnnyringo
Advisor
‎2020-02-19 11:25 AM
In response to johnnyringo
Jump to solution

I opened a case last week and the best solution they could provide was create local dynamic objects on each individual member with its internal IP address, i.e.

 

# On Cluster member-a

dynamic_objects -n LocalGateway-eth2 -r 10.10.10.2 10.10.10.2 -a

# On Cluster member-b

dynamic_objects -n LocalGateway-eth2 -r 10.10.10.3 10.10.10.3 -a

 

Then write a NAT rule with Translated Source = LocalGateway-eth2, NAT method = Hide

 

 

0 Kudos
Ricki_Juntak
Explorer
‎2025-03-02 11:59 PM
In response to Maarten_Sjouw
Jump to solution

Hi Maarten,

I have condition, cluster gateway using the interface to nat all internal behind gateway is enable.

may question is there available to create specific NAT Loopback using IP external of the cluster? like on the SK110019, https://support.checkpoint.com/results/sk/sk110019 , I mean if we configure NAT with that condition (R81.10) is any impact for another traffic, cause the config enable the hide all internal behind gateway?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-04 03:29 PM
In response to Ricki_Juntak
Jump to solution

NAT rules are enforced in order.
Not sure where the gateway/cluster objects "Hide All Behind Gateway" falls in the order, but I believe it will apply if no other rule does.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top