This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_B
Participant
‎2018-11-11 09:28 AM

R80.10 NAT Static

Hi all,

I came because I have a question.

According to the attached schema, I want to make a translation between a public IP and one of my private IP.

I think that what I want to do is Static Nat (One to One).

192.168.1.100 should be for my customer 1.1.1.4.

1.1.1.4 is not assigned carried by the Checkpoint.

The connection can be initiated by my server and by my customers servers.

Did my NAT rules are good?

Is currently not working.

Thank you

Thomas

NAT.png
Preview file
165 KB
6 Replies
Vladimir
Champion
Champion
‎2018-11-11 02:14 PM

Do not use NAT rules.

Delete or disable those you have created manually and setup Static NAT in the properties of the server object:

 

Create an access rule and install the policy.

Make sure that your ISP router is routing inbound traffic to your gateway's external IP.

0 Kudos
Gomboragchaa
Advisor
‎2018-11-11 06:58 PM

Configuration rules seems like a correct. 

Maybe you have to configure Proxy arp - Configuring Proxy ARP for Manual NAT

Also check the NAT configs from Global Properties...

Maarten_Sjouw
Champion
Champion
‎2018-11-12 02:13 AM

As per what Vladimir said, create automatic NAT and then the proxy arp wil be created automatically.

Regards, Maarten
Thomas_B
Participant
‎2018-11-12 02:29 AM

Ok but I want to NAT SRV001 only when it's talking with the SRV_CUSTOMERS not all the time.

How with the @Vladmir solution I can specify the destination when the server should be NATed like I did in my rules?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-12 06:51 AM
In response to Thomas_B

Are you looking to only allow the SRV_CUSTOMERS group access to this NAT address and another group access to the same external IP but with another internal address?

If so you are still best off with a automatic NAT on the host, as this wil take care of the proxy ARP, next you can create a number of manual rules ABOVE the automatic rules to take care of that other  group.

The access itself, who can talk to who, you make sure of in the access rules not in the NAT rules.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top