Solved: Validate the Manual NAT and access control policy ...

yeruel

Hello Checkmates,

I want your expert experience to validate the below Manual NAT and access control policy format.

I want internet users can access our internal server with the public IP_A, Is the below format valid? I am using the same public IP for others servers with different services ports, that's why i am using Manual NAT.

Manual NAT and Access control policy rule matching
1	NAT rule
name	Original source	original Destination	Translated destination
AAAirport	any	Public IP_A	Private IP_A
2	Access control policy
Name	Source	Destination
Access_AAAirport	Any	Public IP_A

Lesley

As long as you see the traffic in the logs (allowed or blocked) you know config is correct on arp level.

1. for access rules, destination will be public IP_A? - correct

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

AkosBakos

Hi,

If I were you I would differentiate the NAT rules per service port. This allow you to handle the rules furthermore separately.

I usually follow this attitude.

But should work what you asked.

Akos

----------------
\m/_(>_<)_\m/

yeruel

Hi @AkosBakos

I understand, I did different rule1 , rule2 , rule 3 to map the same public IP with private ip differently according to the services port. the above one is just for rule1, I did the same for others rules. So the above NAT rule and access rules format is valid. Right?

AkosBakos

Hi @yeruel

I suggest you one-to-one correspondence. One NAT rule belogs to one Access rule. This is the best way.

Akos

----------------
\m/_(>_<)_\m/

Lesley

Would indeed also recommend to make the rule more specific with a port like for example tcp443

Also make sure if needed proxy arp is in place for the public IP. Firewall needs to know the public IP belongs to him.

Unless the public IP is in the topology itself of the firewall (configured direct on a interface)

Best way to test if arp works correct is to see traffic logs, if you see traffic towards the public IP you know arp works.

-------
If you like this post please give a thumbs up(kudo)! 🙂

AkosBakos

Hi @Lesley

I seems, only one Public_IP relevant here, so proxy ARP is not relevant (yet)

Yes, access rules are recommended to separate too.

Akos

----------------
\m/_(>_<)_\m/

yeruel

Hi @Lesley @AkosBakos

1. for access rules, destination will be public IP_A?

2. If we have more than one public IP for example

213.66.95.13---External gateway interface
213.66.95.10---will be used for Hide NAT IP address
213.66.95.11, 12 will be used to publish servers for accessing from internet.

213.66.95.10,11,12 are added in the ARP gaia portal.

ARP 213.66.95.10, 213.66.95.11, and also 213.66.95.12 in the arp with real ip address 213.66.95.13 and outside interface.

Any advice please?

AkosBakos

Hi @yeruel

"213.66.95.10,11,12 are added in the ARP gaia portal" -> don't forget to add to all members this enties (both cluster members)

The guide is here: https://support.checkpoint.com/results/sk/sk30197

---I deleted my sentence, my wording was misleadning---

Akos

----------------
\m/_(>_<)_\m/

Lesley

As long as you see the traffic in the logs (allowed or blocked) you know config is correct on arp level.

1. for access rules, destination will be public IP_A? - correct

-------
If you like this post please give a thumbs up(kudo)! 🙂

Are you a member of CheckMates?

Validate the Manual NAT and access control policy rules