- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi firewall masters!
I need your help with nat, port forward or whatsoever to confirm (or deny) my idea to grant access to my webserver from Internet.
We have /24 of public IP's, cutted on CP firewall. Some of them are used by network equipment, let say /29, and some of them by servers in DMZ, LAN, where ever was needed.
We have also few branches connected through sd-wan.
Subnet 172.16.0.0/24 is reachable by static route, its not directly connected.
And now i need to make visible in internet one server from that branch.
Is it possible to do this on CP by NAT, ARP policies?
When i did manual NAT, webserver 1.1.1.100:80 is reachable but only in LAN, never from outside.
Many thanks for your help, ideas how to achieve this.
Cheers!
#nat
#routing
#arp
#proxy
I think that easiest solution will be NAT
| src | dst | service | nat src | nat dst | nat service |
|---|---|---|---|---|---|
| internet | 1.1.1.100 | 80 | 1.1.1.1 hide | 172.16.0.2 | original |
But you lose information about source in web server logs.
If you are using manual NAT for an object, you have to resort to manual proxy ARP entries in Gaia.
If you are using static NAT to some local dummy IP, you can then use NAT rules to forward this traffic to its destination, so long as the routing is in place and the security policy permits it.
Tried both with no success, apparently Im doing something wrong.
Can you give me some examples?
Sorry, I am at CPX now and will not be by my lab for a few days yet.
I think that easiest solution will be NAT
| src | dst | service | nat src | nat dst | nat service |
|---|---|---|---|---|---|
| internet | 1.1.1.100 | 80 | 1.1.1.1 hide | 172.16.0.2 | original |
But you lose information about source in web server logs.
Michal, this is it!
Many thanks!
Where i need to send you bitcoins?
Oh, no, they useless at this moment.
I can propose good real beer in Poland or in Czech.
Cheers!
PS. I used of course 1.1.1.3 (my active CP) not 1.1.1.1 in nat src. I understand it was just a typo. Just for those who they will looking for same solution.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 13 | |
| 12 | |
| 9 | |
| 7 | |
| 7 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Thu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealThu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASETue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeThu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY