- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Simplifying No-NAT Rules on internal networks
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simplifying No-NAT Rules on internal networks
Hi All,
I'm looking to see if there is any way to simplify our no-NAT rules between internal networks. When you set hide or static NAT properties on network and host objects, you then have to have no-NAT rules to/from those objects otherwise your traffic gets NATed between internal networks too. We have just done one to one no-NAT rules, or created a group with all of the internal networks that we want to no-NAT and put that group as source and destination in a NAT rule. I was thinking of using the InternalZone object as source and destination, but it's not a selectable object in NAT rules. So, I wanted to post here to see if others have found any other methods of simplifying their no-NAT rules between internal networks/hosts. Looking forward to hearing what people say.
Cheers!
Wilson
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I never found an easier way 😞
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Wilson,
Had the same issue, but the topic has be to managed at the network topology level. When using a well structured network, you might define a large network (->Class A /8) inside your organisation. So the first NAT rule would be Network_ClassA to NetworkClass A: keep original.
Currently no other idea.
Rgds,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Zones are the way here, but they can't be used in NAT policies until you have at least R81 running on both gateway and management.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Timothy_Hall is right, you can use zones, but needs R81 minimum. Though, personally, I dont find that simplifies what you are after either : - (
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well at least Security Zones allow you to match all traffic to or from an interface, and not have to maintain cumbersome groups listing all networks behind an interface for the anti-NAT rules. Used to be you were stuck maintaining these groups anyway for your "specific" anti-spoofing topology configuration, but with the addition of the "Network defined by routes" option in R80.20+ that has gone away as well.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for your thoughts and insight on this. It sounds like R81 has some enhancements to the NATing rules that will allow using zones which is great. Since I'm not on R81 yet, I like the idea of using class A/B/C network objects for the private ranges. We already have network objects defined for the class A/B/C private ranges, so I can just put them in a no-NAT rule. That's going to be a lot cleaner than what I've got now.
