You can configure that settiong manually, but when you enable it through the object itself, it places rule(s) on its own in NAT rule base.

Forgive my ignorance, how does one accomplish creating a Manual Hide NAT rule in the same way Automatic hide nat rules behind "Gateway" are done?

The abstraction of "use whatever ip is on the interface it gets sent out on" is what I'm after.

It's been a tough week 😞

You used to be able to configure hide NAT for 0.0.0.0 to hide NAT behind the interface that you are exiting. I have not tried that in a few versions so your mileage may vary. Looks like it is not recommended anymore: Using a "Hide behind IP address 0.0.0.0" as the translated source object (checkpoint.com)

No ignorance, all good, happy new year btw! Anyhow, what you can do to follow my example is pick random subnet, enable hide nat option and you will see 2 rules added in NAT rulebase, that will give you an idea.

Andy

Thanks.

So what I get with using the Automatic Hide NAT behind gateway option using a given subnet is something like this:

Orig Src     |      Orig Dest     |     Orig Svc    |                  Trans Source                          |      Trans Dest     |   Trans Service

SubnetA               SubnetA            any                                  Original                                       Original                Original

SubnetA                  any                   any                     (H) Subnet A (Hiding Address)             Original                Original


When I try to recreate this manually:

Orig Src     |      Orig Dest     |     Orig Svc    |                  Trans Source                          |      Trans Dest     |   Trans Service

SubnetA               SubnetA            any                                  Original                                       Original                Original

SubnetA                  any                   any                              (H) Subnet A                                  Original                Original

I get "Invalid Object Subnet A in Translated Source of Address Translation Rule. Valid objects are host, gateway, gateway cluster, router, dynamic object and address range with one object.

You have not properly recreated the automatic NAT rule.
The "hiding address" is set on the object itself in the case of an automatic rule.
In the case of a manual HIDE NAT, the translated source NAT field needs to specify an object that resolves to either a single IP (like a gateway object) or an address range.

Well if I set a single IP - I will break connectivity if I fail over to ISP2.

If I select an address range with both my WAN interfaces - it is liable to select one that isn't UP.

Does this mean I can't recreate the behavior of Automatic NAT Hide behind Gateway with Manual NAT Hide?

I see one of two possibilities:

• Try using a HIDE NAT address of 0.0.0.0 to see if it works
• Write a script to monitor which ISP is active and have it change a Dynamic Object that you create and set the IP to and use in your NAT policy. This is more or less exactly what ISP Redundancy does. 

Dynamic Objects are defined in the Access Policy.
The contents of that object are set using the dynamic_objects CLI command in Expert Mode on the relevant gateways.
More information on the dynamic_objects command: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

This SK seems to suggest you can set a Dynamic Object to 0.0.0.0/0.0.0.0 (done as part of an ISP Redundancy configuration): See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Some options in no particular order for lab testing might be:

- Try using Zone objects with your NAT policy (different zone for each interface/ISP)

- NAT using an object 0.0.0.0 to dynamically pickup the local interface address

- Try Dynamic objects like LocalMachine

- NAT using addresses from the advertised subnets

- Use a router external to CP to host the ISP connections 

Thanks for all the ideas.

---

@Chris_Atkinson wrote:

Some options in no particular order for lab testing might be:

- Try using Zone objects with your NAT policy (different zone for each interface/ISP)

---

I don't even get the option to select a zone in Translated Source

---

- NAT using an object 0.0.0.0 to dynamically pickup the local interface address

---

I thought this was no longer recommended as mentioned here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

---

- Try Dynamic objects like LocalMachine

---

I tried this but I got warnings like "Dynamic Object localmachine is used in the policy but not defined on the security gateway". Which lead me to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

.. which I tried and then I got policy installation errors: "Failed to find a dynamic interface on DAIP module"

---

- NAT using addresses from the advertised subnets

This is an option

---

- Use a router external to CP to host the ISP connections 

---

 While this makes sense I'd like to avoid it. The CP will be terminating VPNs and I have a need to steer traffic down a specific VPN tunnel which will become problematic. Nevermind adding routing complexity. 2 of the CPs actually live on a different physical sites and what I intend to happen if the interlink goes down is: Side1 can only communicate with ISP1 and Side2 can only communicate with ISP2.

Note using Zones in the NAT policy requires Management version R81 or higher. 

I'm 81.10 and Zones don't even show up in the "Filter" option when selecting a translated source.

I can use them in Original Source and Original Destination, but not translated columns.

Gateway version?

To be honest (though I've not tested it) I was thinking they would be used in the destination context i.e. traffic towards zone A hide behind a certain address, traffic towards zone B hide behind a different address.

Same, 81.10.

Do you have existing Zone objects that you use elsewhere in your policy / assigned to interfaces or are there none defined yet?

I'll take a look in my lab later this evening...

Indeed I do and would even prefer to keep using them.

@Chris_Atkinson is right, zones do work in R81 with nat tules. Does it now give you an option to add them? I just tested in my lab and its there for both src/dst.

It is not. Only in Original Source and Original Destination. Not Translated columns: 

I'm also still unable to recreate the "Automatic Hide NAT rules" manually (as we discussed above) without getting "Invalid Object Subnet A in Translated Source of Address Translation Rule. Valid objects are host, gateway, gateway cluster, router, dynamic object and address range with one object"

I'm defo 81.10, show version all:

Product version Check Point Gaia R81.10
OS build 335
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

You cant add them in translated column, only original, so thats expected. As far as creating manual hide nat rules, I would need to see for myself.

For reference this is the rule I just verified / installed in the lab (haven't done any testing beyond this point).

Both the Original Source & Original Destination reference zone objects that I located via text search.

Yes, I can do that. But my objective here is outgoing NAT.

Interface A is ISP1

Interface B is ISP2

Both are advertising a default route to me, I'm preferring ISP1 - so by default I am NAT'ing behind the IP of interface A.

But if ISP1 goes down, ISP2's default routes take over.

I would need the NAT to change to Interface B.

With your screenshot, since it would always use the first NAT rule - it would attempt to NAT behind an ip of an interface that is down.

As long as you have proper default gateway for that IPS link in gateway properties and internal networks are hide-natted behind gateway external IP, if one link fails, then when users go to the Internet, if they were to do whatismyip.com, they would get presented with your 2nd ISP link IP address.

And that is indeed what's happening when I use a Subnet Object and select "Automatic Hide NAT behind Gateway".

Now I just wish I could create that manually for better organization in the NAT table.

@PhoneBoy is right, you need something like below. Now, I get your point about having NAT rule that does not have to be "active" at this point, so not sure best way to go about except disable it.

Here is nat rule that would work:

That would work, as long as the ISP for your "gateway_external" is UP. (ISP1 in my case)

ie: 0.0.0.0/0 via x.x.x.x on Interface A

If ISP1 goes down, I would then get a routing table change where 0.0.0.0/0 is now via y.y.y.y on Interface B.

Yet the first NAT rule to be hit would still be Interface A's.

I see what you are saying, thats true. Sorry, not sure at this point best way to go about it, lets see if anyone else may know.

Indeed depends how we calculate the Zone relative to the egress interface it's tagged to, possibly an RFE.

I've sought some feedback internally based upon the following example: