Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckGatzMet
Contributor

Uturn Nat Firewall Checkpoint

Uturn Nat Firewall Checkpoint

Hello good evening, first of all, thank you for your time, good vibes and your collaboration.

-How can I configure a DNAT U-turn NAT on Checkpoint firewalls ?

That is to say that in a scheme like the following:

Checkpoint Interfaces: Internet 200.200.200.200.10/28 - DMZ 172.10.10.0/25 - LAN Users: 10.10.10.0/24.

-The DNAT all OK from the public IP against the DMZ, from Interrnet.

Now how can I configure a Uturn NAT, that is to say that from the LAN Users, a user with IP 10.10.10.100 connects to the 200.200.200.10 and DNAT is applied against the Ip of the DMZ 172.10.10.100.

Thanks in advance for your comments, tips, etc.

Regards

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Since the traffic has to traverse the gateway to get to the Internet and any traffic from the DMZ also traverses the gateway, this really isn't U-turn NAT.
In any case, you configure manual NAT rules with the explicit source LAN, destination, and translated source IP (specifically DMZ) as a HIDE address.

CheckGatzMet
Contributor

Hello, thanks a lot for your comments

Both Cisco firewalls, Palo Alto, among others, name this type of communication, this type of NATs, as U-TURN others as Hairpin.

In fact you can look it up in the "sk110019", where Checkpoint details its configuration, it names it as Hairpin NAT / NAT Reflection.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Cheers

the_rock
Legend
Legend

Learned something new today...only U-turn I ever knew was with a car lol. Anyway, reading about it online, I see the point @PhoneBoy made, makes sense.

Sorin_Gogean
Advisor

Hello @CheckGatzMet ,

 

So per my understanding, you're trying to do the following:

 - when you try to reach 200.200.200.200.10 from LAN side clients 10.10.10.100 you show as coming from DMZ 172.10.10.100 .

That I have to try, but I think it's doable, the only problem that I would see, is that you would might have some spoofing alerts/errors.

You can do the NAT rule, on specific port, and see how it goes, and that NAT rule needs to be on TOP of all others, or almost on top of them, depending how you have the NAT layered...

 

Thank you,

PS: we have similar NAT rules, but not 100% like in your scenario, and works well.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events