This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cp_lfr
Explorer
‎2024-12-27 03:33 PM

VSX - NAT Configuration

Good morning, 

nice to meet you.

It's my first time I configured VSX, and with humility, I I say I'm having problems configuring the NAT rules.

AS you can see we deployed two VSs (one Internal and one External).

We would like to simplify as much as possible the NAT rules.

 

For example, we tried to NAT management network (Static NAT rule) behind Public IP, but it does not work.

Any suggestions about and how to configure NAT rules and where (which VS) in the easiest way to see less logs in the SmartDashboard are really appreciated (maybe with some examples).

Is there something wrong? I am really grateful to you.

Thanks, best regards.

 

Labels
0 Kudos
10 Replies
AlekzNet
Contributor
‎2024-12-27 03:52 PM

Just a quick suggestion:

> we tried to NAT management network (Static NAT rule) behind Public IP, but it does not work.

This is your idea:

- Real SRC:  mgmt network
- Real DST: Any
- Translated Source:  the external IP of the firewall (so you configure a dynamic PAT, or "hidden", not "static")
- Translated DST: = (he same as the real DST)

You can use the "hide the traffic behind the external IP", but personally, I prefer an explicit manual NAT rule.

 

0 Kudos
cp_lfr
Explorer
‎2024-12-28 05:36 AM
In response to AlekzNet

Hello, I posted all screenshots, but I am lost on this configuration 😅, any suggestion about configuration?

0 Kudos
the_rock
Legend
Legend
‎2024-12-27 04:12 PM

Do you have screenshot of how rules are configured?

0 Kudos
AlekzNet
Contributor
‎2024-12-27 04:34 PM
In response to the_rock

It was attached, and now it's deleted. The NAT rule on the screenshot was a static one from, for example, Net1 to Net1. Hence my note about PAT to the external iface.

0 Kudos
cp_lfr
Explorer
‎2024-12-28 05:32 AM
In response to the_rock

Hello, so, I posted all screenshots!

0 Kudos
Jarvis_Lin
Collaborator
‎2024-12-27 09:33 PM

When using manual NAT, ensure that Proxy ARP is properly configured and that the "Merge manual proxy ARP configuration" option is selected in the Global Properties under NAT settings.

0 Kudos
cp_lfr
Explorer
‎2024-12-28 05:33 AM
In response to Jarvis_Lin

Hello, as you can see I posted screenshots.

In case, which IP address do I need to use as a proxy ARP?

0 Kudos
AlekzNet
Contributor
‎2024-12-28 03:43 PM
In response to cp_lfr

For outgoing PAT (to the external IP of the firewall/cluster) you do not need proxy ARP.

0 Kudos
cp_lfr
Explorer
‎2024-12-28 05:31 AM

 
6.png
Preview file
27 KB
7.png
Preview file
27 KB
8.png
Preview file
26 KB
5.png
Preview file
32 KB
10.png
Preview file
68 KB
1.png
Preview file
160 KB
9.png
Preview file
184 KB
2.png
Preview file
333 KB
3.png
Preview file
511 KB
4.png
Preview file
706 KB
0 Kudos
cp_lfr
Explorer
‎2024-12-30 01:52 PM

Hi everyone,

so, at the end, today I simply created an automatic NAT rule (Oject and then Nite, Hide Behing the Gateway).

There is NAT on External VSX (enabled NAT, Hide behind the Gateway).

I think at the moment is the best solution!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top