This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wilson_Wiley
Participant
‎2022-08-25 10:58 AM

Simplifying No-NAT Rules on internal networks

Hi All,

I'm looking to see if there is any way to simplify our no-NAT rules between internal networks. When you set hide or static NAT properties on network and host objects, you then have to have no-NAT rules to/from those objects otherwise your traffic gets NATed between internal networks too. We have just done one to one no-NAT rules, or created a group with all of the internal networks that we want to no-NAT and put that group as source and destination in a NAT rule. I was thinking of using the InternalZone object as source and destination, but it's not a selectable object in NAT rules. So, I wanted to post here to see if others have found any other methods of simplifying their no-NAT rules between internal networks/hosts. Looking forward to hearing what people say.

Cheers!

Wilson

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2022-08-25 11:43 AM

Personally, I never found an easier way 😞

0 Kudos
BikeMan
Contributor
‎2022-08-26 03:40 AM

Hi Wilson,

Had the same issue, but the topic has be to managed at the network topology level. When using a well structured network, you might define a large network (->Class A /8) inside your organisation. So the first NAT rule would be Network_ClassA to NetworkClass A: keep original.

Currently no other idea.

Rgds,

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-08-26 05:37 AM

Security Zones are the way here, but they can't be used in NAT policies until you have at least R81 running on both gateway and management.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
the_rock
Legend
Legend
‎2022-08-26 06:12 AM

@Timothy_Hall is right, you can use zones, but needs R81 minimum. Though, personally, I dont find that simplifies what you are after either : - (

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-08-26 06:46 AM
In response to the_rock

Well at least Security Zones allow you to match all traffic to or from an interface, and not have to maintain cumbersome groups listing all networks behind an interface for the anti-NAT rules.  Used to be you were stuck maintaining these groups anyway for your "specific" anti-spoofing topology configuration, but with the addition of the "Network defined by routes" option in R80.20+ that has gone away as well.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
Wilson_Wiley
Participant
‎2022-08-29 12:09 PM

Thank you all for your thoughts and insight on this. It sounds like R81 has some enhancements to the NATing rules that will allow using zones which is great. Since I'm not on R81 yet, I like the idea of using class A/B/C network objects for the private ranges. We already have network objects defined for the class A/B/C private ranges, so I can just put them in a no-NAT rule. That's going to be a lot cleaner than what I've got now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events