Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
joesternna
Explorer

Can I NAT different ports on a single public IPv4 address to multiple internal servers?

I'm migrating to a Check Point 6400 Plus appliance from a Sophos UTM. On the Sophos UTM, I would use a single public IP for incoming ports TCP 443, TCP 22 and UDP 5008 traffic, with all of those ports going to different internal servers. If I'm understanding the Check Point documentation correctly, I can't do that with the new setup. I will need to use separate public IP addresses for each internal server I'm reverse publishing. 

If someone could just say "Yep, that's right" or "no, look harder" I would appreciate it. 

0 Kudos
3 Replies
Tobias_Moritz
Advisor

This is no problem. You just create separate NAT rules for every mentioned port on Check Point gateway like you configured them on Sophos UTM or any other vendors firewall.

Beside that you linked to a documentation of a very very old version (R76, current version is R80.40 or R81), I cannot see where you read there, that this is not possible. This feature is available since almost ever on Check Point, if I remember correctly.

NAT Documentation for R80.40:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuid...

 

ossieaena
Explorer


@Tobias_Moritz wrote:

This is no problem. You just create separate NAT rules for every mentioned port on Check Point gateway like you configured them on Sophos UTM or any other vendors firewall.

Beside that you linked to a documentation of a very very old version (R76, current version is R80.40 or R81), I cannot see where you read there, that this is not possible. This feature is available since almost ever on Check Point, if I remember correctly.

NAT Documentation for R80.40:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuid... five nights at freddy's

 


Thank you very much for your reply !! It is very valuable.

0 Kudos
_Val_
Admin
Admin

Of course you can 🙂 You just need manual NAT rules with specific services in them, instead of Service:ANY

0 Kudos