This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TSOL
Advisor
‎2024-08-13 09:47 PM
Jump to solution

How to apply NAT to a Network Group

Hello Team,

 

We are planning to test a NAT configuration on R81.20.

If I set a Network Group as the source, the following error is displayed.

"The Network group is only valid if the value of the matching translated colum is 'Original' or if the translated source is 'HOST' /Address Range and the Method is Hide."

I want to configure NAT for a Network Group. In this case, do I need to set up Hide NAT for each individual object separately?

 

Thank you for all the advice.

0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Mentor Mentor
Mentor
‎2024-08-14 12:53 AM
Jump to solution

Hi @TSOL 

The easiest way to set up a NAT on a specific network, if you set it on the object itself:

Here:

2024-08-14 09_49_54-Network.png

I hope it helps 🙂

 

Á

----------------
\m/_(>_<)_\m/

View solution in original post

11 Replies
emmap
Employee
Employee
‎2024-08-13 10:21 PM
Jump to solution

The network group is the Original Source? What did you set the Translated Source to? 

0 Kudos
TSOL
Advisor
‎2024-08-13 10:28 PM
In response to emmap
Jump to solution

Dear emmap

Thank you for the reply.

Yes,  I want to set the Network Group as the Original Source and translate it to the IP address of the Out-side interface as the post-NAT IP address.

0 Kudos
emmap
Employee
Employee
‎2024-08-13 11:31 PM
In response to TSOL
Jump to solution

I believe that should work as long as you set the translated side to Hide NAT.

TSOL
Advisor
‎2024-08-13 11:43 PM
In response to emmap
Jump to solution

I mistakenly thought that I needed to add Hide NAT to the Network Group in the Original Source.

It turns out that I need to configure NAT for the object in the Translated Source instead.

Thanks!

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2024-08-14 02:05 AM
In response to TSOL
Jump to solution

Hi @TSOL 

What I told about NAT that is an easy way. If you want to do manual NAT instead, feel free, and do it, the two solution is fully equivalent.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2024-08-14 12:53 AM
Jump to solution

Hi @TSOL 

The easiest way to set up a NAT on a specific network, if you set it on the object itself:

Here:

2024-08-14 09_49_54-Network.png

I hope it helps 🙂

 

Á

----------------
\m/_(>_<)_\m/
TSOL
Advisor
‎2024-08-14 01:38 AM
In response to AkosBakos
Jump to solution

Thank you for the reply.

Does the response differ from the behavior when configuring NAT for the Translated Source?

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2024-08-14 01:45 AM
In response to TSOL
Jump to solution

Hi @TSOL 

From the NAT point of view, this will act as a manual hide NAT. 

As you configure on the network object, you will see it in the NAT table, but you can edit the rule by editing the host object.

Akos 

----------------
\m/_(>_<)_\m/
0 Kudos
KBLITSEC
Explorer
‎2025-01-07 03:21 AM
In response to AkosBakos
Jump to solution

In our scenario we cannot use the hide nat. There is a reason for it. I have  a different scenario. We have different third-party networks connected to our datacentre through checkpoint firewall. each third-party zone will have different network. While accessing the different third-party destination IP or vice-versa we use different NAT based on the zone. If I am adding object group in the original source, adding a /32 IP object in the original destination and and adding a /32 object in the translated source it is giving the same error like above user mentioned. This was working prior to GAIA R81. I have even rules now in my firewall in the similar way that i have stated above. But now in GAIA R81.10 it is not allowing the same similar way of adding the NAT. Can you please help me by providing some inputs  

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-07 11:30 AM
In response to KBLITSEC
Jump to solution

As far as I know, this behavior hasn't changed.
Please provide a precise example, possibly with screenshots (sensitive details can be redacted).

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-16 11:58 AM
Jump to solution

The below answer came from our AI Copilot.
This is applicable if you want to use a manual NAT rule (versus using automatic NAT rules in the object):

The error you're encountering is expected when using static NAT, which translates only one address. To configure NAT for a Network Group, you should use the Hide NAT method. Here's how you can do it:

Steps to Configure Hide NAT for a Network Group

  1. Open SmartConsole and navigate to the NAT policy.
  2. Right-click on the translated source object in the NAT policy.
  3. Select NAT Method > Hide.
  4. Install the policy.

Important Considerations

  • Hide NAT allows multiple internal IP addresses to be translated to a single external IP address.
  • Be cautious when using Hide NAT for a large number of hosts, as it can lead to NAT Port Exhaustion. This happens when the number of connections exceeds the available NAT ports (50,000 ports per NAT pool).

Example Configuration

  1. Create a Network Group that includes all the networks or hosts you want to translate.
  2. Set the Network Group as the original source in the NAT rule.
  3. Set the translated source to a single IP address or an address range.
  4. Ensure the NAT method is set to Hide.

Example NAT Rule

No Original Source Original Destination Original Service Translated Source Translated Destination Translated Service Install On
1 Network Group Any Any Single IP/Range Original Original All

By following these steps, you can configure Hide NAT for a Network Group without setting up Hide NAT for each individual object separately. If you encounter any issues or need further assistance, feel free to ask!

Learn more:
  1. sk176846 - "You cannot use the Network Group &lt;Group Name&gt; as the Original source" validation e...
  2. sk179977 - CME error - The network group cannot be deleted because it is referenced by other objects...
  3. sk179917 - "Failed to delete object - (2) Topology: specific network must be defined" error when del...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events