Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dede79
Contributor
Jump to solution

ISP Redundancy - NAT

Hello,

as tested outbound traffic hide-nat works with ISP redundancy (act/standby)  when selecting hide behind gateway in the network object. Solution should be sk25152.

Is there an option to do so with dynamic objects? Most customers use manual nat with groups in source column.

I tested in lab with 2 dynamic objects:

[Expert@ISPgw01:0]# dynamic_objects -l

object name : DYN_ISP_A
range 0 : 0.0.0.0 255.255.255.255

object name : DYN_ISP_B
range 0 : 0.0.0.0 255.255.255.255

Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

created the same objects in dashboard and made 2 nat rules:

isp-hnat.jpg

 

If ISP A fails default route is switched to ISP B but the still the public hidenat IP of ISP A is used - Rule 5 always matches.

Version R81.10

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

9 Replies
G_W_Albrecht
Legend Legend
Legend

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
dede79
Contributor

OK, I think I skipped the "add" in the sk - now it works - manual HNAT  Rules...manual SNAT in/out for the DMZ Servers - great!

0 Kudos
Jones
Collaborator
Collaborator

Hi,

sk25152 describes a script for two ISP's in a loadsharing solution. From R81.10 more then two ISP's are supported. So what about a High Available solution with three ISP's, that should also be possible. What lines in the cpisp_update are then needed for this solution?

Grtz Jones

0 Kudos
Jones
Collaborator
Collaborator

I got a reply from Check Point support. They updates sk25152 and gave me the cpisp_update lines for 3 ISP's that I added it in this post. Don't forget to add two extra lines on the CLI:

dynamic_objects -n DYN_ISP_C
dynamic_objects -o DYN_ISP_C -r 0.0.0.0 0.0.0.0 -a

0 Kudos
dede79
Contributor

Just have same config with R81.20 but not working...

Do the dynamic-objects / object names in the script MUST be exactly "DYN_ISP_A" and so on or can I use other names like "DYN_ISP_COLT"....?

Regardinf ISP Red in loadsharing and sk25152- there is still mentioned that the solution is only for HA. So there the only option is hide-behind-gateway ?

0 Kudos
Wolfgang
Authority
Authority
  • @dede79 What do you want to achieve?  The „hide behind gateway“ setting is the solution for outgoing connections and ISP redundancy. You don‘t wrote what‘s your problem. You wrote „ Solution should be sk25152“ but which problem?
0 Kudos
(1)
dede79
Contributor

are you really able to hide everything behind gateway in you environments? No need to use specific IPs for NAT?

0 Kudos
dede79
Contributor

Update from TAC: sk25152 not supportet from R81.10 upwards. Supportet workaround would be using manual nat rules with zone in destination field.

0 Kudos
cyberfinder
Explorer

specific Ip hide NAT will work with ISP load sharing mode ? as i have tried seems like its not supported. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events