- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- NAT tip
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT tip
Hey team,
Figured would share something that maybe some of you already know, but Im suire lots of people might not, if you were to ever encounter this situation.
So say, you have subnet (just making this up, but you will get an idea), 10.10.0.0/16 and you hide nat it to specific IP and works fine, great. BUT, then lets say you have a need to nat larger prefix of that subnet (say 10.10.10.0/24) to a different IP and you create another network object, insall policy, it will NOT work.
Customer even had tac case about it, but no luck. They reached out and I remembered right away back from the old days of CP that another client actually showed me something like this can work with address range, so all you do is below and it works 100%, even in R82 : - )
Anyway, wanted to share this in case anyone encounters it.
Best.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @AkosBakos
Hope that tip is somewhat useful : - )
Man, I was thinking since you told me before you are in Hungary, last time I was there, stayed in Corinthia Budapest, what a crazy cool place. Btw, not sure if you ever played chess or know how pieces move, but I figured would share "sick" move, probably one of the greatest in chess history by one of your country fellas, Peter Leko, such a brilliant mind.
This was played against Vladimir Kramnik for FIDE chess championship in 2004 in Switzerland.
Invisible to Engines | One Of The Greatest Moves Ever Played
Cheers,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @the_rock
/off
Yes, Peter Leko is one of the famous player, but don't forget Judit Polgár.
/on
Honestly, I avoid of using this kind of NAT (but to NAT an address range, is worth a Gold Medal).
This NATting method is the basis of a lot of noNAT rules 🙂
A
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Judit Polgar man, she is one of the sweetest ladies out there, such a pleasant lady. I met her one year in Indonesia where she was giving a speech about life/chess, she is so smart and brilliant.
Anywho, as far as NAT, I figured would share the tip, as maybe some people dont know, so its an easy fix if they ever encounter that sort of situation 🙂
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like a conflict in the Automatic NAT rules.
I guess Address Ranges apply before Network objects in that calculation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly. If you look at the built-in section titles in the NAT policy, automatic rules for address ranges (which are usually more specific) are consulted prior to those for network objects (which are generally less specific) for both Static and Hide NATs that are automatic.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm thats news to me, good to know...never knew that.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @PhoneBoy
Since Im probably 2% smarts of you and master @Timothy_Hall , run that by me again, please? 🙂
So if I get this right and I could be mistaken, are you suggesting say if someone made nat on the object for larger prefix (smaller subnet), that should be placed ABOVE all the automatic rules? If so, would that make ORIGINAL nat for larger subnet not work?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It actually shows you the order the Automatic NAT rules are applied in the NAT Policy itself (at least in R81.20).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see what you mean. Man, in so many years, I NEVER even paid attention to it. Well, learned something new now, thanks to you 🙂
Cheers,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content