This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sam_Ponder
Contributor
‎2025-03-20 06:45 AM

Manual NAT rule with service translation, not translating service

Hi All,

I'm having some troubles with using manual NAT rules to translate a service. I do have manual arp entries added and the merge arp enabled.

natrules.png

From testing and from some packet captures, I can see that when traffic is destined for ms-mail2 it is natting to the correct IP, however the service isn't being translated from smtp(port 25) to smtp-alt(port 465).

This is my first venture down the manual NAT rules and I feel like I am missing something small.

 

Basically, wanting to do this. When port 25 traffic comes in on 66.66.66.1 it NATs to 10.10.10.11 and stays port 25, When port 25 traffic comes in on 66.66.66.2 it NATs to 10.10.10.11 and translates to port 465. 

email.png

 

Can someone please provide some guidance?

Thanks in advance!

Sam

 

Edit: to add more description

Labels
0 Kudos
8 Replies
Lesley
MVP Gold
MVP Gold
‎2025-03-25 01:21 PM

Does the traffic hit the correct NAT rule? How does the traffic log look like? 

Maybe fwmonitor capture will give a hint

# fw monitor -e "host(x.x.x.x),accept;" -o outputfile.cap

in order to filter for inbound and outbound traffic related to host x.x.x.x.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Sam_Ponder
Contributor
‎2025-03-26 08:50 AM
In response to Lesley

Hi Lesley,

The capture shows it translating the address but not translating the service/port. 

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-03-26 05:02 AM

I hope, I understood correctly:

My guess are:

ORIGINAL DST: 66.66.66.1
ORIGINAL Services: smtp
translates src: orginal
translated dst: 10.10.10.11

ORIGINAL DST: 66.66.66.2
ORIGINAL Services: smtp
translates src: orginal
translated dst: 10.10.10.11
translated service: 465

Have a try.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Sam_Ponder
Contributor
‎2025-03-26 07:53 AM
In response to AkosBakos

Hi Akos,

Yes, that is what I am using, well that and the reverse for outbound translation.

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-03-26 08:44 AM
In response to Sam_Ponder

Ok. Do you have any hits on the rules?

----------------
\m/_(>_<)_\m/
0 Kudos
Sam_Ponder
Contributor
‎2025-03-26 08:53 AM
In response to AkosBakos

 

no hits on the outbound nat rule, inbound nat rule shows a few, but it isnt translating the port/service. The firewall rule has hits on it, though it show nat 0 as the matching nat rule, in smartconsole logs. This is a clustered pair of 5400s.

 

Edit for clarification.

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-03-26 09:05 AM
In response to Sam_Ponder

Can you share a depersonalized screenshot of the ACL, which allows the inbound and outbound traffic?

Maybe for easier understandig: if you set an automatic NAT for SMTP-> then check the rules that are created (NAT rulebase) -> you will get a impression how should look like the NAT for only SMTP

image.png

image.png

Then you will be able to copy it and expand the rules with ports etc.

----------------
\m/_(>_<)_\m/
0 Kudos
Sam_Ponder
Contributor
‎2025-03-26 12:07 PM
In response to AkosBakos

Akos,

Here you go. I want to add. Since initially starting this thread, I have it working on the firewall at our DR location. Initially, I got it working in Vegas by recreating the network objects that were in use and then it started working.

The IndyFW cluster, isn't behaving the same.

 
 

acl-nat.png

Edit: I am leaving on PTO today, returning on Monday

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events