This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_B
Participant
‎2018-11-11 09:28 AM

R80.10 NAT Static

Hi all,

I came because I have a question.

According to the attached schema, I want to make a translation between a public IP and one of my private IP.

I think that what I want to do is Static Nat (One to One).

192.168.1.100 should be for my customer 1.1.1.4.

1.1.1.4 is not assigned carried by the Checkpoint.

The connection can be initiated by my server and by my customers servers.

Did my NAT rules are good?

Is currently not working.

Thank you

Thomas

Preview file
165 KB
6 Replies
Vladimir
Champion
Champion
‎2018-11-11 02:14 PM

Do not use NAT rules.

Delete or disable those you have created manually and setup Static NAT in the properties of the server object:

 

Create an access rule and install the policy.

Make sure that your ISP router is routing inbound traffic to your gateway's external IP.

0 Kudos
Gomboragchaa
Advisor
‎2018-11-11 06:58 PM

Configuration rules seems like a correct. 

Maybe you have to configure Proxy arp - Configuring Proxy ARP for Manual NAT

Also check the NAT configs from Global Properties...

Maarten_Sjouw
Champion
Champion
‎2018-11-12 02:13 AM

As per what Vladimir said, create automatic NAT and then the proxy arp wil be created automatically.

Regards, Maarten
Thomas_B
Participant
‎2018-11-12 02:29 AM

Ok but I want to NAT SRV001 only when it's talking with the SRV_CUSTOMERS not all the time.

How with the @Vladmir solution I can specify the destination when the server should be NATed like I did in my rules?

0 Kudos
Vladimir
Champion
Champion
‎2018-11-12 04:51 AM
In response to Thomas_B

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-12 06:51 AM
In response to Thomas_B

Are you looking to only allow the SRV_CUSTOMERS group access to this NAT address and another group access to the same external IP but with another internal address?

If so you are still best off with a automatic NAT on the host, as this wil take care of the proxy ARP, next you can create a number of manual rules ABOVE the automatic rules to take care of that other  group.

The access itself, who can talk to who, you make sure of in the access rules not in the NAT rules.

Regards, Maarten
0 Kudos