This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wilson_Wiley
Participant
‎2022-08-25 10:58 AM

Simplifying No-NAT Rules on internal networks

Hi All,

I'm looking to see if there is any way to simplify our no-NAT rules between internal networks. When you set hide or static NAT properties on network and host objects, you then have to have no-NAT rules to/from those objects otherwise your traffic gets NATed between internal networks too. We have just done one to one no-NAT rules, or created a group with all of the internal networks that we want to no-NAT and put that group as source and destination in a NAT rule. I was thinking of using the InternalZone object as source and destination, but it's not a selectable object in NAT rules. So, I wanted to post here to see if others have found any other methods of simplifying their no-NAT rules between internal networks/hosts. Looking forward to hearing what people say.

Cheers!

Wilson

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2022-08-25 11:43 AM

Personally, I never found an easier way 😞

0 Kudos
BikeMan
Participant
‎2022-08-26 03:40 AM

Hi Wilson,

Had the same issue, but the topic has be to managed at the network topology level. When using a well structured network, you might define a large network (->Class A /8) inside your organisation. So the first NAT rule would be Network_ClassA to NetworkClass A: keep original.

Currently no other idea.

Rgds,

 

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-08-26 05:37 AM

Security Zones are the way here, but they can't be used in NAT policies until you have at least R81 running on both gateway and management.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos
the_rock
Legend
Legend
‎2022-08-26 06:12 AM

@Timothy_Hall is right, you can use zones, but needs R81 minimum. Though, personally, I dont find that simplifies what you are after either : - (

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-08-26 06:46 AM
In response to the_rock

Well at least Security Zones allow you to match all traffic to or from an interface, and not have to maintain cumbersome groups listing all networks behind an interface for the anti-NAT rules.  Used to be you were stuck maintaining these groups anyway for your "specific" anti-spoofing topology configuration, but with the addition of the "Network defined by routes" option in R80.20+ that has gone away as well.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
Wilson_Wiley
Participant
‎2022-08-29 12:09 PM

Thank you all for your thoughts and insight on this. It sounds like R81 has some enhancements to the NATing rules that will allow using zones which is great. Since I'm not on R81 yet, I like the idea of using class A/B/C network objects for the private ranges. We already have network objects defined for the class A/B/C private ranges, so I can just put them in a no-NAT rule. That's going to be a lot cleaner than what I've got now.

0 Kudos