Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LucianLS
Participant

Static NAT for an entire network object - why does this work?

Hi!

I don't understand why/how the following scenario works.

SMS is R81.10, Gateway is R80.40

I can set a Static NAT IP for a network object and can successfully install policy.

eg. setting STATIC NAT IP 10.0.113.2 on the network A-INT_NET (192.168.11.0/24)

static nat applied.jpeg

 

 

 

 

 

 

 

 

 

 

 

In NAT rulebase  - rule no 10 appears

nat rulebase.jpg

 

 

Traffic to outside works for 2 hosts on that network. (I also have a second hide NAT that's made in pfsense above the lab environment)

Even weirder is that CKP logs shows succesful Source NAT, but not with .2 as in the rule, but with .204 which I don't even know where it appeared from. The Gateway's IP is 10.0.113.1

The virtual router above CKP lab doesn't have DHCP server active so that .204 IP couldn't have come from that.

log.jpeg

 

0 Kudos
5 Replies
Timothy_Hall
Champion
Champion

Setting a static NAT on a network object does work, but almost certainly not the way expected.  What you have done is NATed the entire 192.168.11.0/24 network to the entire 10.0.113.0/24 network.  So traffic coming from 192.168.11.111 will be NATted to 10.0.113.111, 192.168.11.17 will be NATted to 10.0.113.17, etc.  I think Cisco used to call this "LAN-to-LAN NATting", and this type of NAT operation just swaps out the network portion of the IP address (first three octets with a /24) and leaves the host portion (last octet) intact.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

I believe the IPs in translated subnet are chosen randomly, so say if source is x.x.x.222, then dst might be y.y.y.252.

Ruan_Kotze
Advisor

Interestingly, if you specify a range instead of a network, then it gets translated like for like.

the_rock
Legend
Legend

Thats right, exactly how it works on Cisco.

0 Kudos
dagnabber
Explorer

I have been using static network to network NAT with VPNs for years, it works exactly as expected. For example: orig_src:10.23.0.0/16 xlate_src:192.168.0.0/16 will NAT the 3rd and 4th octet one to one. Where is this documented within Check Point's admin guides? Is there an sk?

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events