This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LucianLS
Participant
‎2022-03-04 02:28 AM

Static NAT for an entire network object - why does this work?

Hi!

I don't understand why/how the following scenario works.

SMS is R81.10, Gateway is R80.40

I can set a Static NAT IP for a network object and can successfully install policy.

eg. setting STATIC NAT IP 10.0.113.2 on the network A-INT_NET (192.168.11.0/24)

static nat applied.jpeg

 

 

 

 

 

 

 

 

 

 

 

In NAT rulebase  - rule no 10 appears

nat rulebase.jpg

 

 

Traffic to outside works for 2 hosts on that network. (I also have a second hide NAT that's made in pfsense above the lab environment)

Even weirder is that CKP logs shows succesful Source NAT, but not with .2 as in the rule, but with .204 which I don't even know where it appeared from. The Gateway's IP is 10.0.113.1

The virtual router above CKP lab doesn't have DHCP server active so that .204 IP couldn't have come from that.

log.jpeg

 

0 Kudos
5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2022-03-04 09:50 AM

Setting a static NAT on a network object does work, but almost certainly not the way expected.  What you have done is NATed the entire 192.168.11.0/24 network to the entire 10.0.113.0/24 network.  So traffic coming from 192.168.11.111 will be NATted to 10.0.113.111, 192.168.11.17 will be NATted to 10.0.113.17, etc.  I think Cisco used to call this "LAN-to-LAN NATting", and this type of NAT operation just swaps out the network portion of the IP address (first three octets with a /24) and leaves the host portion (last octet) intact.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2022-03-04 10:17 AM
In response to Timothy_Hall

I believe the IPs in translated subnet are chosen randomly, so say if source is x.x.x.222, then dst might be y.y.y.252.

Best,
Andy
Ruan_Kotze
MVP Gold
MVP Gold
‎2022-03-04 11:30 AM
In response to the_rock

Interestingly, if you specify a range instead of a network, then it gets translated like for like.

the_rock
MVP Platinum
MVP Platinum
‎2022-03-04 11:43 AM
In response to Ruan_Kotze

Thats right, exactly how it works on Cisco.

Best,
Andy
0 Kudos
dagnabber
Explorer
‎2022-04-22 04:25 PM
In response to Timothy_Hall

I have been using static network to network NAT with VPNs for years, it works exactly as expected. For example: orig_src:10.23.0.0/16 xlate_src:192.168.0.0/16 will NAT the 3rd and 4th octet one to one. Where is this documented within Check Point's admin guides? Is there an sk?

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events