This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tropicanaslim
Contributor
‎2022-07-07 07:04 PM

Manual NAT - Port Address Translation

Hi All,

Right now i have some issue when configure Manual NAT using Port Address Translation.

For example :

  • <DNAT>  R81
    • Original: Any
    • Destination : x.x.x.x (public ip)
    • Original Service : 8443
    • Translate Source : Original
    • Translate Dest : z.z.z.z (local ip)
    • Translate Service : 443

However, the apps still cant access publicly. I read some docs, need to config the ARP? But i confused how to set up the ARP.

Is it mandatory to config the ARP for Manual NAT? Or any idea how to config Manual NAT without setting up the ARP?

 

Thank you everyone.

Labels
0 Kudos
2 Replies
Vladimir
Champion
Champion
‎2022-07-07 07:42 PM

Is the public IP, in your case, the IP of your firewall's external interface, or another address from your public IP range?

If it is the IP address of the firewall's interface, no manual ARP entry is required.

...but you still need to add another rule below yours, to ensure that the responses from Original Service 443 are translated to Service 8443.

If it is another address from the same public network, in addition to these two rules, you'll need manual ARP.

To do that, in Global Properties | NAT, check "Merge manual proxy ARP configuration"; OK

Publish changes and install the policy.

After policy is installed, SSH into the gateway and execute following commands:

add arp proxy ipv4-address AAA.AAA.AAA.AAA interface ethX real-ipv4-address XXX.XXX.XXX.XXX

save config

 

Where AAA.AAA.AAA.AAA is the public IP address you are using for that host, ethX is your External Interface and XXX.XXX.XXX.XXX is the IP address assigned to your External Interface.

MtxMan
Contributor
‎2022-07-27 05:18 PM
In response to Vladimir

Hi @Vladimir 

Recently i have issue about this, i need to NAT using ipsec interface, is it possible? because peer side dont wanna add some routing, so i tried to NAT but still unsuccessful, i think i have problem with manual NAT.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events