This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leon_Jaimes1
Participant
‎2019-07-25 12:44 PM
Jump to solution

NAT based on source address and destination address and destination port

Hello,

I wanted to run this by the board here, and maybe help others looking for a similar answer.

I have a firewall migration where the existing NAT is set up to translate traffic from different sources destined to the the same public IP (not the interface IP), and different ports. 

The use cases are as follows:

  1. Incoming packet from src:3.3.3.3 dst:2.2.2.1 port:4567, translate to src:3.3.3.3 dst:10.2.2.1 port:4567
  2. Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:5678, translate to src:4.4.4.4 dst: 10.4.4.1 port:5678
  3. Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:5678, translate to src:4.4.4.5 dst: 10.4.4.1 port:5678
  4. Incoming packet from src:4.4.4.4 dst:2.2.2.1 port:6789, translate to src:4.4.4.4 dst: 10.4.4.1 port:6789
  5. Incoming packet from src:4.4.4.5 dst:2.2.2.1 port:6789, translate to src:4.4.4.5 dst: 10.4.4.1 port:6789
  6. Incoming packet from src:5.5.5.5 dst:2.2.2.1 port:7890, translate to src:5.5.5.5 dst: 10.5.5.1 port:7890

Lines 2,3,4,5 represent a group of source hosts that connect to multiple destination ports.

Field Abreviations: Orignal Source(OSrc), Original Destination(ODst), Orignal Service(OSrv), Translated Source(TSrc), Translated Destination(TDst), Translated Service(TSrv) 

I believe that I need to configure manual rules for each of these as follows, and also configure a proxy arp entry for 2.2.2.1:

  1. OSrc:3.3.3.3 ODst:2.2.2.1 OSrv:4567 TSrc:Original TDst:10.2.2.1 TSrv:Original
  2. OSrc:10.2.2.1 ODst:3.3.3.3 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
  3. OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:5678 TSrc:Original TDst:10.4.4.1 TSrv:Original
  4. OSrc:(4.4.4.4-4.4.4.5) ODst:2.2.2.1 OSrv:6789 TSrc:Original TDst:10.4.4.1 TSrv:Original
  5. OSrc:10.4.4.1 ODst:(4.4.4.4-4.4.4.5) OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original
  6. OSrc:5.5.5.5 ODst:2.2.2.1 OSrv:7890 TSrc:Original TDst:10.5.5.1 TSrv:Original
  7. OSrc:10.5.5.1 ODst:5.5.5.5 OSrv:Any TSrc:2.2.2.1 TDst:Original TSrv:Original

With lines 3 and 4, since the return traffic will be the same, there is only line 5 that is needed, but this is because I am assuming that the use of Any for the original port for the return traffic is correct.

Does this look correct, or is there a better way to do this without manual NAT?

Thanks,

Leon

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-07-26 10:41 AM
In response to Leon_Jaimes1
Jump to solution

If it could be initiated from either side, then you need NAT rules for both directions.
Otherwise, you only need NAT rules in one direction, which will handle reply traffic.

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2019-07-25 05:21 PM
Jump to solution

Because port factors in, manual rules are what you have to use.
Curious why you're using two rules for these different use cases.
Is it because the traffic could be initiated from either end?
0 Kudos
Leon_Jaimes1
Participant
‎2019-07-25 08:32 PM
In response to PhoneBoy
Jump to solution

On the two rules, I might be misunderstanding the Manual NAT.  I thought it needed the rule to match the reverse traffic.  Or is that incorrect and the return traffic matches the rule that was used by the initiating traffic?

[edit] - The traffic may need to be initiated from either side as well, I will double check on that.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-26 10:41 AM
In response to Leon_Jaimes1
Jump to solution

If it could be initiated from either side, then you need NAT rules for both directions.
Otherwise, you only need NAT rules in one direction, which will handle reply traffic.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events