- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi Guys,
I am configuring a SMB 1590 device.I have a class of 8 public IP that i can use from the ISP and I want to add 2 public IP to the same WAN internet connection interface but i get the error "IP address is in the subnet of an existing network"
Can someone Please help on this issue?
Hey,
What would be the reason you want to do that?
If you want to use the 2nd IP for NAT-ing traffic from certain users, is not needed to be defined on the box, as long as you have it's routed properly.
Thank you,
PS: not sure if a SMB differs too much from an 15600 GW, but for us is working fine.
In this case, it’s no different between SMB and non-SMB.
Hey
Im getting into the point. So it is not possible to add two public ip to the same interface?
Im using the chp firewall as a router in my case. The optic fiber is connected directly to the appliance.
What do you recommend ?
Thnx
No, it's not possible.
What is it you are trying to do that you think adding a second WAN IP would be the solution for?
I hate it when I get half answers, but still I'll ask again like others did 😁 ..
From certain perspective we all use CKP as a router but with extra features 🤣
So again, what would be the reason you want to do that? Why you want to get 2 IP's or 10 IPs on the WAN interface ?!?!?!
Thank you,
OK. I will try to describe the situation.
From ISP I've got Public IP range f.e.: 172.16.189.0/29 (172.16.189.1-6).
ISP GW for me is: 172.16.189.1
Public IPs for me: 172.16.189.2-6 (5 Public IPs) with GW 172.16.189.1
Now, I have multiple VLANs or LANs for easy understanding: LAN1 - 192.169.190.1/24 - Management Network, LAN2 - 192.168.191.1/24 - Production LAN, 192.168.192.1/24 - Guests Network, 192.168.193.1/24 - DMZ.
And I want to translate all these networks to different Public IPs like this:
192.168.190.0/24 -> 172.16.189.2
192.168.191.0/24 -> 172.16.189.3
192.168.192.0/24 -> 172.16.189.4
192.168.193.0/24 -> 172.16.189.5
So no just one server or host, or one by one, but whole network I want ti hide behind different public IP.
How to do that?
I've created NAT rules, it translate correctly, byt SPARK does not react on other then specified IP on WAN interface.
I'm not able to create ALIAS from same WAN network to tell SPARK, this is also your IP address.
So, what now?
You need to create proxy ARPs for the relevant IPs manually.
See: https://support.checkpoint.com/results/sk/sk114531 
No 🙂
There is an easy solution.
You have to create another NAT rule where Original destination is your required WAN IP.
So, f,e,:
No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service
1.     192.168.191.0/24   Any                                Any                         172.16.189.3.            Original                              Original
2.      Any                         172.16.189.3                 Any                         Original                     Original                              Original
1st rule is about NAT from LAN to Internet, so every traffic from network 192.168.191.0/24 is NATed (masquerade) to 172.16.189.3 IP 🙂 You have to check "Hide multiple sources behind translated  source address" and also "Serve as an ARP Proxy for the original destination's IP address"
2nd rule will assign another IP from WAN network to WAN interface and will send all traffic to this address to right destination
That's all 🙂
Now you can repeate it for every IP assigned to you by ISP provider and you can use all Public IPs as you want 🙂
Hi Marek may I ask you bout the second NAT rule? Why is it not like below, could ou please explain?
Is it because, once A traffic reaches first rule a session is stored inside a NAT table and once it receives communication from external source it looks in the NAT table for destination? thanks
No. Original Source Original Destination. Original Service Translated Source Translated Destination Translated Service
2. Any 172.16.189.3 Any Original 192.168.191.0/24 Original
Hello,
It works for NEW incoming connections as well. 🙂 So, I want to use also for another networks on my LAN.
So, then I'm able to create NAT to any device I want in my LAN, not just for device inside 192.168.191.0/24 🙂
You can use the 2nd WAN IP for multiple LANs and you will create just rule od type 1 (1st rule) and do not have to create another 2nd type 🙂
But how does an incoming traffic knows where to go (not initiated from internal network). When the rule is like below.
Original destination is 172.16.189.3 and it is translated to 172.16.189.3 do I need any adittional routing or something?
No.   Original Source    Original Destination.  Original Service    Translated Source   Translated Destination   Translated Service
1.     192.168.191.0/24   Any                                Any                         172.16.189.3.            Original                              Original
2.      Any                         172.16.189.3                 Any                         Original                     Original                              Original
OK. There are 2 situations:
1. Hide outgoing traffic from LAN to the another IP of WAN (assigned IPs from ISP)
- When packet goes out, the router will build NAT table and returning packet (related/established) will follow the stored info inside NAT table, so router knows where to send this returning packet.
2. Using another IP form IPs in NAT (f.e. webserver, mail server)
Now, incoming packet take a look in NAT rules, if there is some redirection for him. If not, packet is dropped. If yes, packet will be forwarded according the rule he belongs to.
Hello,
I would like to set up multiple IP addresses from the internal network in the same way. I won't have any device/server in the internal network that should be accessible from the outside. Therefore, all communication into the network must be initiated from the internal side.
For this reason, I thought that only the first rule from the following would suffice:
However, when I set up only the first NAT rule, the communication did not work until I set up the second NAT rule, then access to the internet started working. I have read through it multiple times and do not understand why it doesn't work with just one NAT rule.
As I understand it, and according to what you wrote, a device from the internal network (192.168.191.0/24) starts communication to the internet, NAT translates it to second Public IP (172.16.189.3), then when a response comes back to(second Public IP (172.16.189.3) the checkpoint, it checks the NAT table, and the message should return to the correct recipient.
This should be the end, but still, the communication did not happen until we had the second NAT rule, even though we do not have any device in the network to which new communication from the internet should reach?
Hello,
by simply way ... it looks like 2nd rule tells router "Hey, this is also my public IP" 🙂
I was investigating this before and this was the reason why I put it here to help all others 🙂 to do not waste a time.
1st rule works, the packet goes out with new (specified) public IP address. however checkpoint drops all packet to that (I did sniff for that communication.) So, then I've added 2nd rule and it looks like checkpoint then knows that packet belongs to him 🙂
So yes, just 1st rule is not enough, they have to be both to make Internet connection via another public IP from ISP.
Marek
Okay, I understand a bit more now. So with second rule I say to my GW "hey this is also my public IP". But when connection is initiated from the outside, I also need another rule to tell my GW to what Private IP it should translate incoming connection. Am I right?
Thanks
Exactly 🙂
When connection is initiated from outside, you need NAT forward rule 🙂
Okay so for example i would change NAT rule n. 2. And would edit translated destination, to my desired private IP.
Thank you I understand it now
is it locally or centrally managed GW ?
it sounds like the 2nd NAT rule generates Proxy arp for this Public IP, which the first rule isn't automatically do.
you can verify it by running tcpdump on this interface facing the isp, for example tcpdump -nnei WAN | grep 172.16.189.3
without the 2nd NAT rule, if you see lots of "who has 172.16.189.3 tell x.x.x.x (router), and with the 2nd NAT rule, you will see once in a while the same who has, but you will also see a reply from the GW - 172.16.189.3 is at mac-address (GW).
there are procedures to add proxy arp manually.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY