This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dede79
Contributor
‎2023-02-01 05:44 AM
Jump to solution

ISP Redundancy - NAT

Hello,

as tested outbound traffic hide-nat works with ISP redundancy (act/standby)  when selecting hide behind gateway in the network object. Solution should be sk25152.

Is there an option to do so with dynamic objects? Most customers use manual nat with groups in source column.

I tested in lab with 2 dynamic objects:

[Expert@ISPgw01:0]# dynamic_objects -l

object name : DYN_ISP_A
range 0 : 0.0.0.0 255.255.255.255

object name : DYN_ISP_B
range 0 : 0.0.0.0 255.255.255.255

Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

created the same objects in dashboard and made 2 nat rules:

isp-hnat.jpg

 

If ISP A fails default route is switched to ISP B but the still the public hidenat IP of ISP A is used - Rule 5 always matches.

Version R81.10

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend
‎2023-02-01 07:53 AM
Jump to solution

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

CCSE CCTE CCSM SMB Specialist

View solution in original post

3 Replies
G_W_Albrecht
Legend
Legend
‎2023-02-01 07:53 AM
Jump to solution

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

CCSE CCTE CCSM SMB Specialist
dede79
Contributor
‎2023-02-02 02:21 AM
In response to G_W_Albrecht
Jump to solution

OK, I think I skipped the "add" in the sk - now it works - manual HNAT  Rules...manual SNAT in/out for the DMZ Servers - great!

0 Kudos
Wolfgang
Mentor
Mentor
‎2023-02-01 09:11 AM
Jump to solution

  • @dede79 What do you want to achieve?  The „hide behind gateway“ setting is the solution for outgoing connections and ISP redundancy. You don‘t wrote what‘s your problem. You wrote „ Solution should be sk25152“ but which problem?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫