Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

NAT tip

Hey team,

Figured would share something that maybe some of you already know, but Im suire lots of people might not, if you were to ever encounter this situation.

So say, you have subnet (just making this up, but you will get an idea), 10.10.0.0/16 and you hide nat it to specific IP and works fine, great. BUT, then lets say you have a need to nat larger prefix of that subnet (say 10.10.10.0/24) to a different IP and you create another network object, insall policy, it will NOT work.

Customer even had tac case about it, but no luck. They reached out and I remembered right away back from the old days of CP that another client actually showed me something like this can work with address range, so all you do is below and it works 100%, even in R82 : - )

Anyway, wanted to share this in case anyone encounters it.

Best.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

10 Replies
the_rock
Legend
Legend

Hey @AkosBakos 

Hope that tip is somewhat useful : - )

Man, I was thinking since you told me before you are in Hungary, last time I was there, stayed in Corinthia Budapest, what a crazy cool place. Btw, not sure if you ever played chess or know how pieces move, but I figured would share "sick" move, probably one of the greatest in chess history by one of your country fellas, Peter Leko, such a brilliant mind.

This was played against Vladimir Kramnik for FIDE chess championship in 2004 in Switzerland.

Invisible to Engines | One Of The Greatest Moves Ever Played

Cheers,

 

Andy

0 Kudos
AkosBakos
Advisor

Hi @the_rock 

/off

Yes, Peter Leko is one of the famous player, but don't forget Judit Polgár.

/on

Honestly, I avoid of using this kind of NAT (but to NAT an address range, is worth a Gold Medal).

This NATting method is the basis of a lot of noNAT rules 🙂 

A

----------------
\m/_(>_<)_\m/
(1)
the_rock
Legend
Legend

Judit Polgar man, she is one of the sweetest ladies out there, such a pleasant lady. I met her one year in Indonesia where she was giving a speech about life/chess, she is so smart and brilliant. 

Anywho, as far as NAT, I figured would share the tip, as maybe some people dont know, so its an easy fix if they ever encounter that sort of situation 🙂

Andy

0 Kudos
PhoneBoy
Admin
Admin

Sounds like a conflict in the Automatic NAT rules.
I guess Address Ranges apply before Network objects in that calculation.

Timothy_Hall
Legend Legend
Legend

Exactly.  If you look at the built-in section titles in the NAT policy, automatic rules for address ranges (which are usually more specific) are consulted prior to those for network objects (which are generally less specific) for both Static and Hide NATs that are automatic.  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

Hm thats news to me, good to know...never knew that.

Andy

0 Kudos
the_rock
Legend
Legend

Hey @PhoneBoy 

Since Im probably 2% smarts of you and master @Timothy_Hall , run that by me again, please? 🙂

So if I get this right and I could be mistaken, are you suggesting say if someone made nat on the object for larger prefix (smaller subnet), that should be placed ABOVE all the automatic rules? If so, would that make ORIGINAL nat for larger subnet not work?

Andy

0 Kudos
PhoneBoy
Admin
Admin

It actually shows you the order the Automatic NAT rules are applied in the NAT Policy itself (at least in R81.20).

image.png

(1)
the_rock
Legend
Legend

I see what you mean. Man, in so many years, I NEVER even paid attention to it. Well, learned something new now, thanks to you 🙂

Cheers,

Andy

 

Screenshot_2.png

0 Kudos
the_rock
Legend
Legend

 
 

thank-you-phoneboy.jpg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events