Re: NAT tip

the_rock · ‎2024-10-30

Hey team,

Figured would share something that maybe some of you already know, but Im suire lots of people might not, if you were to ever encounter this situation.

So say, you have subnet (just making this up, but you will get an idea), 10.10.0.0/16 and you hide nat it to specific IP and works fine, great. BUT, then lets say you have a need to nat larger prefix of that subnet (say 10.10.10.0/24) to a different IP and you create another network object, insall policy, it will NOT work.

Customer even had tac case about it, but no luck. They reached out and I remembered right away back from the old days of CP that another client actually showed me something like this can work with address range, so all you do is below and it works 100%, even in R82 : - )

Anyway, wanted to share this in case anyone encounters it.

Best.

Andy

Best,
Andy

the_rock · ‎2024-10-30

Hey @AkosBakos

Hope that tip is somewhat useful : - )

Man, I was thinking since you told me before you are in Hungary, last time I was there, stayed in Corinthia Budapest, what a crazy cool place. Btw, not sure if you ever played chess or know how pieces move, but I figured would share "sick" move, probably one of the greatest in chess history by one of your country fellas, Peter Leko, such a brilliant mind.

This was played against Vladimir Kramnik for FIDE chess championship in 2004 in Switzerland.

Invisible to Engines | One Of The Greatest Moves Ever Played

Cheers,

Andy

Best,
Andy

AkosBakos · ‎2024-10-30

Hi @the_rock

/off

Yes, Peter Leko is one of the famous player, but don't forget Judit Polgár.

/on

Honestly, I avoid of using this kind of NAT (but to NAT an address range, is worth a Gold Medal).

This NATting method is the basis of a lot of noNAT rules 🙂

A

----------------
\m/_(>_<)_\m/

the_rock · ‎2024-10-30

Judit Polgar man, she is one of the sweetest ladies out there, such a pleasant lady. I met her one year in Indonesia where she was giving a speech about life/chess, she is so smart and brilliant.

Anywho, as far as NAT, I figured would share the tip, as maybe some people dont know, so its an easy fix if they ever encounter that sort of situation 🙂

Andy

Best,
Andy

PhoneBoy · ‎2024-10-30

Sounds like a conflict in the Automatic NAT rules.
I guess Address Ranges apply before Network objects in that calculation.

Timothy_Hall · ‎2024-10-30

Exactly. If you look at the built-in section titles in the NAT policy, automatic rules for address ranges (which are usually more specific) are consulted prior to those for network objects (which are generally less specific) for both Static and Hide NATs that are automatic.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

the_rock · ‎2024-10-30

Hm thats news to me, good to know...never knew that.

Andy

Best,
Andy

the_rock · ‎2024-10-30

Hey @PhoneBoy

Since Im probably 2% smarts of you and master @Timothy_Hall , run that by me again, please? 🙂

So if I get this right and I could be mistaken, are you suggesting say if someone made nat on the object for larger prefix (smaller subnet), that should be placed ABOVE all the automatic rules? If so, would that make ORIGINAL nat for larger subnet not work?

Andy

Best,
Andy

PhoneBoy · ‎2024-10-31

It actually shows you the order the Automatic NAT rules are applied in the NAT Policy itself (at least in R81.20).

the_rock · ‎2024-10-31

I see what you mean. Man, in so many years, I NEVER even paid attention to it. Well, learned something new now, thanks to you 🙂

Cheers,

Andy

Best,
Andy

the_rock · ‎2024-10-31

Best,
Andy

Are you a member of CheckMates?

NAT tip