This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckGatzMet
Contributor
‎2023-02-22 10:24 PM

Uturn Nat Firewall Checkpoint

Uturn Nat Firewall Checkpoint

Hello good evening, first of all, thank you for your time, good vibes and your collaboration.

-How can I configure a DNAT U-turn NAT on Checkpoint firewalls ?

That is to say that in a scheme like the following:

Checkpoint Interfaces: Internet 200.200.200.200.10/28 - DMZ 172.10.10.0/25 - LAN Users: 10.10.10.0/24.

-The DNAT all OK from the public IP against the DMZ, from Interrnet.

Now how can I configure a Uturn NAT, that is to say that from the LAN Users, a user with IP 10.10.10.100 connects to the 200.200.200.10 and DNAT is applied against the Ip of the DMZ 172.10.10.100.

Thanks in advance for your comments, tips, etc.

Regards

Labels
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-02-27 10:29 AM

Since the traffic has to traverse the gateway to get to the Internet and any traffic from the DMZ also traverses the gateway, this really isn't U-turn NAT.
In any case, you configure manual NAT rules with the explicit source LAN, destination, and translated source IP (specifically DMZ) as a HIDE address.

CheckGatzMet
Contributor
‎2023-02-27 06:14 PM
In response to PhoneBoy

Hello, thanks a lot for your comments

Both Cisco firewalls, Palo Alto, among others, name this type of communication, this type of NATs, as U-TURN others as Hairpin.

In fact you can look it up in the "sk110019", where Checkpoint details its configuration, it names it as Hairpin NAT / NAT Reflection.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Cheers

the_rock
Legend
Legend
‎2023-02-27 11:13 AM

Learned something new today...only U-turn I ever knew was with a car lol. Anyway, reading about it online, I see the point @PhoneBoy made, makes sense.

Sorin_Gogean
Advisor
‎2023-02-27 10:25 PM

Hello @CheckGatzMet ,

 

So per my understanding, you're trying to do the following:

 - when you try to reach 200.200.200.200.10 from LAN side clients 10.10.10.100 you show as coming from DMZ 172.10.10.100 .

That I have to try, but I think it's doable, the only problem that I would see, is that you would might have some spoofing alerts/errors.

You can do the NAT rule, on specific port, and see how it goes, and that NAT rule needs to be on TOP of all others, or almost on top of them, depending how you have the NAT layered...

 

Thank you,

PS: we have similar NAT rules, but not 100% like in your scenario, and works well.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top