Auto-NAT coexisting with Manual (P)NAT

[admcleod]

Hello!

I have just taken over administration of a Checkpoint NGX R60 firewall, and have been given the task of enabling external access to an internal server hosting a web server on port 4443. (Due to a recent firewall migration not being entirely complete). This new host resolves to the same IP address as an existing web server.

Heres the scenario:

web.domain.com and newhost.domain.com both point to the public IP 80.0.0.1.

There is an automatic NAT for 80.0.0.1, to the internal IP, 192.168.0.10

This automatic NAT works fine (only necessary for TCP 80/443).

So, I want to add in a rule to redirect requests to 80.0.0.1 on port 4443 to the internal IP of the newhost, 192.168.0.20.

(There are three rules in the rulebase:
ANY to 192.168.0.10 on 80, LOG
ANY to 192.168.0.10 on 443, LOG
ANY to 192.168.0.20 on 4443, LOG)

I don't _really_ want to remove the existing automatic NAT to the web server, mainly to avoid any outages caused by misconfiguration...

These are the rules I have tried, separately, without success:

Original Packet ==> Translated Packet

Src, Dest, Svc ==> Src, Dest, Svc

any, 80.0.0.1, tcp_4443 ==> original, 192.168.0.20, original

and

any, 192.168.0.10, tcp_4443 ==>orig., 192.168.0.20, orig.

I have tried them both above and below the automatic NAT (although bi directional NAT is enabled, and I understand that checks all rules for best match before processing? - is matching 'ANY' service better than matching the service explicitly?)

Anyway. Any suggestions? Something blatantly silly/obvious?


Thanks!

[kva.kva]

1'st check Tracker for number of NAT rule which is apllied.

NAT rules are checked one after another, like usual rules in Rule Base.
Bidirectional NAT applies only to automatic NAT rules

Good quote
"The detailed logic of Bidirectional NAT is as follows:
• If the first match on a connection is on a Manual NAT rule, no further checking
of NAT Rule Base is done.
• If the first match on a connection is on an Automatic NAT rule, then the rest of
the NAT Rule Base is checked, one rule at a time, to see if another Automatic
NAT Rule matches the connection. If it does, both rules are matched, and no
further checking is performed.

The operation of Bidirectional NAT can be tracked using the SmartView Tracker,
using the fields NAT Rule Number and NAT Additional Rule Number. The
“additional rule” is the rule that matches the automatic translation performed on
the second object in Bidirectional NAT."