AnsweredAssumed Answered

AWS CloudGuard Multiple Static NAT rules

Question asked by Roy Long on May 17, 2018
Latest reply on May 25, 2018 by Vladimir Yakovlev

All, please assist with this.

 

I am about 90% there with my CloudGuard configuration and seem to be stuck at the last hurdle.

 

Here's what I have and I am sure it's something straight forward for one of the Gurus on here.

 

Internal network 10.99.1.0/24 - private

External network 10.99.0.0/24 - public

Checkpoint eth0 has primary and secondary IPs 10.99.0.230 & 10.99.0.235

each has an EIP (elastic IP address) associated with it.

Checkpoint has eth1 assigned single IP address 10.99.1.230 in private

 

Route tables are set:

Public 0.0.0.0/0 through the AWS Internet Gateway

Private 0.0.0.0/0 through eth1 of Checkpoint

 

I have Hide behind Gateway set as NAT for Checkpoint gateway object

 

I have a manual static NAT rule for an internal Host 10.99.1.x to NAT to a cloned host object with the secondary EIP (which is assigned to eth0 of checkpoint) set as the translate address.

I have an opposite rule for translate back from Public secondary IP to internal host set.

 

I have a policy rule which Accepts traffic from the secondary external IP address to Any.

 

When I delete the NAT rule I can access the internet from the internal host (NATed through the Gateway Public IP address).  With the Static NAT rule active it's not returning anything, although I see the traffic from the internal host hitting the firewall and an Accept entry in the Log - just nothing seems to come back.

 

What have I missed?

 

Best regards,

Roy.

Outcomes