Disabling NAT for specific Interface/Network

[fazrul]

Hi,
Currently we have a backup server in LAN and a few servers in DMZ. I have enabled Hide NAT for LAN and DMZ networks. Servers in DMZ also have static NAT from WAN network IP address.

WAN: 192.168.10.20 (aliases at 10.21 and 10.22)
LAN: 192.168.20.123
DMZ: 192.68.30.123

Net_192.168.20.0 with Hide NAT
Net_192.168.30.0 with Hide NAT
Server/Host 192.168.30.111 with Static NAT to 192.168.10.21
Backup server/Host 192.168.20.20 (no static or hide NAT on this server; because the network itself is already NATed).

Problem: When want to define a backup job, traffic that goes from 192.168.20.20 to 192.168.30.111 does not work "properly" (we are unable to connect to the DMZ server that we wish to backup). All relevant ports are open. I suspected it was NAT causing this.

I did a simulation with another firewall brand that allows me to do this to masquerading:

Disable NAT from LAN to DMZ
Enable NAT from LAN to WAN
Enable NAT from DMZ to WAN

When I disable NAT from LAN to DMZ, the backup software is able to connect to the DMZ server. When I enable NAT from LAN to DMZ, the backup server cannot connect to the DMZ server.

In this case, the logical option in Checkpoint will be to disable Hide NAT for LAN and DMZ networks (Net_192.168.20.0 and Net_192.168.30.0). However, if I were to do this, all servers in LAN and DMZ will not have access to Internet anymore.

Question: Is there anyway to configure these in checkpoint:
NAT from LAN to WAN enabled
NAT from DMZ to WAN enabled
NAT from LAN to DMZ disabled

Thanks.

[abusharif]

what you need to do is define manual NAT rule.
In your address translation policy add a manual rule:

source->destination->service->source->destination->service

backup_server -> DMZ servers -> ANY -> ORIGINAL->ORIGINAL->ORIGINAL
DMZ servers -> backup_server -> ANY -> ORIGINAL->ORIGINAL->ORIGINAL