This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aleksander_Osma
Explorer
‎2023-08-18 12:54 AM

NAT+FQDN

Hi all

Tell me how to implement NAT correctly ( i have R81.20 , 1-RealIP )

I need next scenario as picture.

1 Web.somedomain.con nat to internal webserver-1

2 Web2.somedomain.con nat to internal webserver-2

3 Web3.somedomain.con nat to internal webserver-3

I set nat 

Source(GeoIP)---Dest(Web.somedomain.con)--Services(http/https) ----> Redirect ( Source as is) ----dest ( LocalWebserver) --Services (http\https)

 

But don't work 

CH-NAT.png
Preview file
7 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-08-18 06:33 AM

How exactly is the gateway supposed to know on the first packet which of the three websites is trying to be accessed when they all have the same IP?
Which means: this won’t work.

It should work if you configure inbound HTTPS Inspection and use the same certificate for all three sites (each site is covered in the SNI of the certificate).
And, in this case, it would only work for HTTPS.

Aleksander_Osma
Explorer
‎2023-08-18 11:04 AM
In response to PhoneBoy

maybe I didn't explain correctly

My CPGW have 1 externalip , i need to nat some services redirect to internal server

Example

web.domain.com have ip 1.1.1.1 need to redirect to internal server 1.1.1.1

mail.domain.com have ip 1.1.1.1 need redirect to internal server 2.2.2.2

domain.domnain.com have ip 1.1.1.1 need to redirect server 3.3.3.3

etc

 

 

0 Kudos
RS_Daniel
Advisor
‎2023-08-18 11:44 AM
In response to Aleksander_Osma

Hello,

I think phoneboy answered exactly what you are asking for. There is no way the firewall knows what is the domain to which the request is addressed only with NAT. You can use inbound https inspection as per phoneboy recomendation. You can also use reverse proxy feature exaplained here:

https://support.checkpoint.com/results/sk/sk110348

You must consider that only one https certificate is supported for all https sites, so it should be a wildcard. Another option i see is that the each domain use a different port to differentiate between them, for example:

web.domain.com:4000 have ip 1.1.1.1 need to redirect to internal server 1.1.1.1

mail.domain.com:4001 have ip 1.1.1.1 need redirect to internal server 2.2.2.2

domain.domnain.com:4002 have ip 1.1.1.1 need to redirect server 3.3.3.3

Of course a dedicated reverse proxy can also do the job, as nginx. Hope some option is useful.

Regards

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-08-18 05:19 PM
In response to Aleksander_Osma

As long as the services are all on different ports, you can make a NAT rule for each port you want to translate differently.

Any/1.1.1.1/TCP80 translate to Original/webserver-1/Original

Any/1.1.1.1/TCP25 translate to Original/mailserver-1/Original

Any/1.1.1.1/UDP53 translate to Original/nameserver-1/Original

etc.

 

Note that this would allow people to think they're connecting to web.domain.com on port 25.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top