- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: 3600 - NAT port forwarding with WAN DHCP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3600 - NAT port forwarding with WAN DHCP
Hi,
Have an standalone 3600.
One external interface connected to ISP, public-ip is assigned by dhcp.
Another interface is connected to LAN switches and created vlan subinterfaces as default gw for internal networks.
Some servers need to have incoming port forwarding for their services. Have little CP experience, this is now migrated from Palo Alto.
My issue is dynamic public-ip, how could I create fw/nat rules that is using the external interface ip?
It's working when I manually create an host object with the current public-ip.
Outgoing hide-nat is done by "Add automatic address translation rules"
- Labels:
-
NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create manual rules in terms of the object LocalMachine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, already tried LocalMachine without success.
Seems that incoming traffic is not hitting the NAT rule anymore.
Is it possible to see the value of LocalMachine object?
Reading about dynamic objects now and scripts... not sure that is a good solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LocalMachine is a dynamic object we manage.
You can use the dynamic_objects CLI command to see the current contents of any given dynamic object.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CLI_ReferenceGuide/Content/T...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems that only dynamic_objects I've made my self is possible to list, no result when I try LocalMachine.
Another issue is policy push when LocalMachine is used in policy, requires target to be DAIP module. sk180341 Same result if I specify target gateway.
Since Mgmt and Data plane isn't separated this is is maybe caused by static ip on Mgmt Interface and DHCP on External interface..?
Not sure what is best practice for this.. possible to separate it sk138672 MDPS but a lot of limits..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MDPS is not relevant for standalone systems.
Did you try enabling DAIP as described here: https://support.checkpoint.com/results/sk/sk166225
I don't think you can enable it in SmartConsole since this is a standalone system, which I don't believe support DAIP.
However, this might enable updating of the LocalMachine object if you have one of your interfaces defined as dynamic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried to enable DAIP as described in sk166225, same result as sk180341 afterwards.
Maybe DAIP not supported for standalone...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The functionality to enable DAIP functionality is only supported on pure gateways (not standalone).
While a dynamic address will still work, you'll have to create and update your own Dynamic Object.
While you could script updating a dynamic_object, if you're using R81.20, you can do a Network Feed object that achieves the same thing.
Create the object as follows:
Note that I have no idea how reliable ipify is as I just found it with a quick Internet search.
However, anything that returns your public IP either in ASCII (like https://api.ipify.com does) or in JSON can be used.
Network Feed objects can be used in the Access Policy and NAT configuration on R81.20+ gateways.
It should also be noted that locally managed Quantum Spark appliances support this use case much better (using Server objects).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about a security zone and manual NAT: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...
Never tried that myself, though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good tip, but seems that zones cannot be used when Translated Destination need to be changed from "Original" (Local server ip)