This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yeruel
Contributor
‎2024-12-31 11:01 PM
Jump to solution

Validate the Manual NAT and access control policy rules

Hello Checkmates,

I want your expert experience to validate the below Manual NAT and access control policy format. 

I want internet users can access our internal server with the public IP_A, Is the below format valid? I am using the same public IP for others servers with different services ports, that's why i am using Manual NAT.

Manual NAT and Access control policy rule matching 
1NAT rule   
name    Original sourceoriginal DestinationTranslated destination 
AAAirport any Public IP_APrivate IP_A 
2Access control policy   
Name SourceDestination  
Access_AAAirportAnyPublic IP_A  
0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2025-01-01 04:19 AM
In response to yeruel
Jump to solution

As long as you see the traffic in the logs (allowed or blocked) you know config is correct on arp level. 

1. for access rules, destination will be public IP_A? - correct 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

(1)
8 Replies
AkosBakos
MVP Silver
MVP Silver
‎2025-01-01 12:55 AM
Jump to solution

Hi,

If I were you I would differentiate the NAT rules per service port. This allow you to handle the rules furthermore separately.

I usually follow this attitude.

But should work what you asked.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
yeruel
Contributor
‎2025-01-01 02:07 AM
In response to AkosBakos
Jump to solution

Hi @AkosBakos 

I understand, I did different rule1 , rule2 , rule 3 to map the same public IP with private ip differently according to the services port. the above one is just for rule1, I did the same for others rules. So the above NAT rule and access rules format is valid. Right?

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-01-01 02:31 AM
In response to yeruel
Jump to solution

Hi @yeruel 

I suggest you one-to-one correspondence. One NAT rule belogs to one Access rule. This is the best way.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-01-01 02:06 AM
Jump to solution

Would indeed also recommend to make the rule more specific with a port like for example tcp443

Also make sure if needed proxy arp is in place for the public IP. Firewall needs to know the public IP belongs to him.

Unless the public IP is in the topology itself of the firewall (configured direct on a interface)

Best way to test if arp works correct is to see traffic logs, if you see traffic towards the public IP you know arp works. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-01-01 02:11 AM
In response to Lesley
Jump to solution

Hi @Lesley 

I seems, only one Public_IP relevant here, so proxy ARP is not relevant (yet)

Yes, access rules are recommended to separate too.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
yeruel
Contributor
‎2025-01-01 02:35 AM
In response to AkosBakos
Jump to solution

Hi @Lesley @AkosBakos 

1. for access rules, destination will be public IP_A?

2. If we have more than one public IP for example

213.66.95.13---External gateway interface
213.66.95.10---will be used for Hide NAT IP address
213.66.95.11, 12 will be used to publish servers for accessing from internet.

213.66.95.10,11,12 are added in the ARP gaia portal.

ARP 213.66.95.10, 213.66.95.11, and also 213.66.95.12 in the arp with real ip address 213.66.95.13 and outside interface.

Any advice please?

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-01-01 04:00 AM
In response to yeruel
Jump to solution

Hi @yeruel 

"213.66.95.10,11,12 are added in the ARP gaia portal" -> don't forget to add to all members this enties (both cluster members)

The guide is here: https://support.checkpoint.com/results/sk/sk30197

---I deleted my sentence, my wording was misleadning---

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-01-01 04:19 AM
In response to yeruel
Jump to solution

As long as you see the traffic in the logs (allowed or blocked) you know config is correct on arp level. 

1. for access rules, destination will be public IP_A? - correct 

-------
Please press "Accept as Solution" if my post solved it 🙂
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events