Re: PBR and nat

dede79 · ‎2024-03-01

Hello,

I try to find an alternative for isp redundancy with pbr.

sk167135 nearly describes that but for some reason here the internal network has a public-ip network and so there is no need to talk about hide-nat. I tested pbr so far but selecting hide-behind-gateway always uses the interface ip with the default route is used.

Thanks

Lesley · ‎2024-03-01

Use instead of hide behind gateway option the VIP ip of the outgoing interfaces.

I think you now use automatic NAT, try to make static NAT rule and force it to use correct external IP

-------
Please press "Accept as Solution" if my post solved it 🙂

AmirArama · ‎2024-03-03

Hi

what exactly are you trying to accomplish? going out from specific ISP, without NAT?

so just don't enable NAT on this network object.

if I didn't understand, please elaborate a bit more.

Thanks

Chris_Atkinson · ‎2024-03-03

Did you try configuring your NAT manually?

Dummy object for the NAT with 0.0.0.0 or using Zones may help, but PBR and NAT has some limitations.

Maybe also explore Quantum SD-WAN with your local SE to see if it can help you?

CCSM R77/R80/ELITE

dede79 · ‎2024-03-03

How can I use manuel nat behind Interface upon failover? Alternative for ISP redundancy would require a NAT konfig that works no matter pbr route is active (--> ISP1) or it is down --> (ISP2) - (track pbr routes with monitored IPs)

Chris_Atkinson · ‎2024-03-03

As above historically you could use a host object 0.0.0.0 and it would pick the IP of the outbound interface.

Theoretically you could also assign a different zone to each interface and hence different NAT rules could be specified if needed.

CCSM R77/R80/ELITE

Lesley · ‎2024-03-04

You cannot mix PBR and ISP redundancy:

https://support.checkpoint.com/results/sk/sk167135

-------
Please press "Accept as Solution" if my post solved it 🙂

Are you a member of CheckMates?

PBR and nat