This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ThabEugS
Participant
2 weeks ago

NAT Loopback - Hairpin NAT

Good Day

We are trying to do allow hairpin NAT for our Mitel Voice system. We want our devices on the inside network to be able to reach the Mitel device, which is on the internal network, by its Public IP Address.

I have attached topology of the environment.

Tried sk110019 - not coming right

Regards

Preview file
80 KB
0 Kudos
7 Replies
the_rock
Legend
Legend
2 weeks ago

Can you give an example of how you did the nat rule?

Andy

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago

Here's what a Hairpin NAT rule is supposed to look like: https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-Ho... 

ThabEugS
Participant
2 weeks ago
In response to PhoneBoy

What about the firewall rules ?

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to ThabEugS

For regular fw rules, just make sure access is allowed.

Andy

0 Kudos
Chillyjim
Participant
2 weeks ago

Just to make sure I understand, do you want something on the 5.0/24 network to hit 5.5 via 161.30.141.1.12? Do you need to hide the client's IP addresses (or, more precisely, can you?)?

0 Kudos
ThabEugS
Participant
a week ago
In response to Chillyjim

That is what i am looking for.

0 Kudos
the_rock
Legend
Legend
2 weeks ago

For what is worth, though I know you said you followed the sk AI gave me in this example, but see below, hope it helps.

Andy

 

************************************

 

This is Check Point AI Assistant.

To configure NAT Loopback (Hairpin NAT / NAT Reflection) on a Check Point Security Gateway, follow these steps:

Background

NAT Loopback allows internal clients to access an internal server using its public IP address. This is useful when internal clients need to access services using the same domain name or IP address as external clients.

Network Topology Example

Consider the following network topology:

  • Client #1: Public IP 2.2.2.2
  • Client #2: Private IP 192.168.1.10
  • Security Gateway: Public IP 1.1.1.1, Private IP 192.168.1.1
  • Web Server: Private IP 192.168.1.2

Steps to Configure NAT Loopback

In SmartConsole R80 and Higher

  1. Create Host Objects:

    • Create host objects for Client #1, Client #2, Security Gateway, and Web Server with their respective IP addresses.

  2. Configure NAT Rules:

    • Open the NAT policy in SmartConsole.
    • Add the following NAT rules:
No. Original Source Original Destination Original Services Translated Source Translated Destination Translated Services Install On
1 Client #1's Public IP (2.2.2.2) Web Server's Public IP (1.1.1.1) http Client #1's Public IP (2.2.2.2) Web Server's Private IP (192.168.1.2) = Original Security Gateway
2 Client #2's Private IP (192.168.1.10) Web Server's Public IP (1.1.1.1) http Security Gateway's Private IP (192.168.1.1) Web Server's Private IP (192.168.1.2) = Original Security Gateway
3 Web Server's Private IP (192.168.1.2) * Any http Web Server's Public IP (1.1.1.1) = Original = Original Security Gateway
  1. Install Policy:
    • After configuring the NAT rules, install the policy on the Security Gateway.

In SmartDashboard R77.X and Lower

  1. Create Host Objects:

    • Create host objects for Client #1, Client #2, Security Gateway, and Web Server with their respective IP addresses.

  2. Configure NAT Rules:

    • Open the NAT policy in SmartDashboard.
    • Add the following NAT rules:
No. Original Packet Translated Packet Install On
1 Source: Client #1's Public IP (2.2.2.2), Destination: Web Server's Public IP (1.1.1.1), Service: http Source: Client #1's Public IP (2.2.2.2), Destination: Web Server's Private IP (192.168.1.2), Service: = Original Security Gateway
2 Source: Client #2's Private IP (192.168.1.10), Destination: Web Server's Public IP (1.1.1.1), Service: http Source: Client #2's Private IP (192.168.1.10), Destination: Web Server's Private IP (192.168.1.2), Service: = Original Security Gateway
3 Source: Web Server's Private IP (192.168.1.2), Destination: Any, Service: http Source: Web Server's Public IP (1.1.1.1), Destination: = Original, Service: = Original Security Gateway
  1. Install Policy:
    • After configuring the NAT rules, install the policy on the Security Gateway.

Important Notes

  • Ensure that the NAT rules are in the correct order.
  • Verify the connectivity and functionality after applying the NAT rules.

For more detailed information, you can refer to the Check Point support article sk110019.

Learn more:
  1. sk110019 - How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gate...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events