This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kadar2
Contributor
‎2020-12-03 03:16 AM
Jump to solution

Manual Static NAT question

Hello,

I would really appreciate it if someone could help me clarify the following issue.

 

Say that I have a site2site VPN. Traffic is initiated from the remote site. I would like to hide my internal server IPs behind a NAT subent, lets call it NAT_Internal.

Because I want my internal servers to still have internet access, I suppose that I need to create manual static NAT rules.The question is... do I need to create bidirectional manual static rules or just in one direction, depending on who initiates the traffic?

Example of rules:

Outgoing:

Original source: Real_inside_IP  --> Destination Source: Remote_subnet  Translated source: NAT_subnet_IP --> Translated destination: Original

Incoming:

Original source:Remote_subnet --> Destination Source: NAT_subnet_IP Translated source: Original --> Translated destination: Real_Inside_IP

The traffic will be initiated from the remote site. So are both rules needed?

My other question is if the policy access rules should contain the NATed IPs or the real IPs.

 

Thank you in advance!

0 Kudos
1 Solution

Accepted Solutions
JackPrendergast
Advisor
Advisor
‎2020-12-03 03:43 AM
In response to kadar2
Jump to solution

Hi  @kadar2 

 

Understood.

However, hiding your internal services seems unnecessary to me. "Security through obscurity" is generally a bad practice to follow as hiding your IP addresses provides what? Nothing..

If you hide them, they can not see the real IP, however they will still get to the intended destination via NAT - so whats the difference?

If you are concerned about remote users and their access to the internal servers, you should employ a proper firewall policy to restrict what they can and cant do.

Employing NAT over the VPN starts to open complications regarding 'NAT-T' and opening up different ports for NAT traversal - when really, your issue here is how you are tackling your security concerns.

 

To answer your questions regarding NAT. Bi-directional is needed if both sides need to INITIATE a connection.

If it's only 1 side initiating the connection, then 1 one NAT is needed.

If its initiated on both sides, bi-directional is needed

 

These are rules in general for NAT - however, as mentioned above, I don't recommend you employing this as you arent securing yourself any more than you think.

View solution in original post

4 Replies
JackPrendergast
Advisor
Advisor
‎2020-12-03 03:22 AM
Jump to solution

@kadar2  Hello -

 

First question is, why do you want to hide private internal IP's behind another IP address via NAT? What is the reasoning behind this?

 

You dont need bi-directional is traffic from the Internet isnt initiating a connection to a server i.e a incoming connection to a web server.

 

If this is client access out to the internet, you should need to have a NAT to hide your internal subnets behind your public IP - one way.

 

But the VPN bit confuses me. What are you trying to achieve here? Does the remote site have to go across the VPN to go out to the internet? Can it not break out locally? Whats your design?

0 Kudos
kadar2
Contributor
‎2020-12-03 03:33 AM
In response to JackPrendergast
Jump to solution

Maybe I did not correctly explain the situation in my original post.

If my internal servers want to go to the Internet, their IP will be hidden behind the Public IP. No problem there.

We need to create a site2site VPN. The peer subnets need to access some internal servers and for security reasons we would like the internal servers to be "hidden" from the peer, behind the NATed subnet. This should be done via manual static translation.

Does the translation need to be made bidirectional as per the example above?

And in the access rules should I include the real IPs of the servers or the NATed ones, when entering the VPN community?

Thanks!

0 Kudos
JackPrendergast
Advisor
Advisor
‎2020-12-03 03:43 AM
In response to kadar2
Jump to solution

Hi  @kadar2 

 

Understood.

However, hiding your internal services seems unnecessary to me. "Security through obscurity" is generally a bad practice to follow as hiding your IP addresses provides what? Nothing..

If you hide them, they can not see the real IP, however they will still get to the intended destination via NAT - so whats the difference?

If you are concerned about remote users and their access to the internal servers, you should employ a proper firewall policy to restrict what they can and cant do.

Employing NAT over the VPN starts to open complications regarding 'NAT-T' and opening up different ports for NAT traversal - when really, your issue here is how you are tackling your security concerns.

 

To answer your questions regarding NAT. Bi-directional is needed if both sides need to INITIATE a connection.

If it's only 1 side initiating the connection, then 1 one NAT is needed.

If its initiated on both sides, bi-directional is needed

 

These are rules in general for NAT - however, as mentioned above, I don't recommend you employing this as you arent securing yourself any more than you think.

kadar2
Contributor
‎2020-12-03 04:00 AM
In response to JackPrendergast
Jump to solution

I understand what you are implying. None the less, I would not like to further analyze what leads us to such an implementation...

So if only one participant initiates the connection, then one direction is needed. Understood!

Thank you for your time.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events