This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rob_Wood
Explorer
3 weeks ago

Routing vs NAT help - please be gentle

We have a Checkpoint R81.20 Gaia Security Gateway that is also our firewall and router. The Management server for the Security Gateway is a Cloud-1 controller. The firewall is running Gaia OS on a VM on ESXi 8.

I have the network divided into VLANs and then they all access each other through the R81.20 firewall. Each VLAN has a network interface on the gateway with a unique subnet. Everything is currently NATed between each network. I would like to find a way to route between the networks instead of NATing between the networks. For example if I look at SSH logs for connections between a client and a server, all of the client IPs show as coming from the gateway IP and not the IP Address of the client in the other VLAN.

I understand that this is probably a bit of a basic question and that if I don't understand routing vs NAT completely, I should find a consultant, which I may do. However, please let me know if what I describe next is totally wrong or if I am headed down the correct path.

Can Gaia act as our firewall for clients in the VLANs to access the internet AND allow me to route between the VLANs without having to use NAT?

Any help is most apprecaiated.

_Rob

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
3 weeks ago

Yes, this is possible, it's just a matter of configuring NAT correctly.
You will need to define some manual NO NAT rules (where original source/destination are specified and translated source/destination are "Original").

0 Kudos
(1)
Rob_Wood
Explorer
3 weeks ago
In response to PhoneBoy

Wow, the man, the myth, and the legend himself! Thank you @PhoneBoy !

I will search for those settings and test some things out with some unpopulated VLANs.

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to Rob_Wood

An example of some NO NAT rules actually appears in the Demo Mode policy (though I added an object to it).
You add them above the auto-generated rules, as shown here.

image.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events