NAT rule not quite working

[donshoutarp]

Checkpoint R60 HFA4

I have a situation in which a legacy web server is being moved from an internal network to a newly created DMZ.

A new server was created in the DMZ and is accessible from the internal network.

Currently the old web server is associated with two external IP addresses. The new web server will eventually need to be associated with both external IP addresses.

Manual NAT rules look like this

Rule 1
Source = any
Destination = External IP Addr 1
Service = http

Translate source = original
Translate dest = Internal IP Addr (static)
Service = original

Rule 2
Source = any
Destination = External IP Addr 2
Service = http

Translate source = original
Translate dest = Internal IP Addr (static)
Service = original

Security Rule looks likes this
Source = any
Destination = Internal IP Addr
Service = http
Action = accept

The above work great

I changes rules to look like this:

Rule 1
Source = any
Destination = External IP Addr 1
Service = http

Translate source = original
Translate dest = Internal IP Addr (static)
Service = original

Rule 2
Source = any
Destination = External IP Addr 2
Service = http

Translate source = original
Translate dest = DMZ IP Addr (static)
Service = original

Security Rule looks likes this
Source = any
Destination = Internal IP Addr, DMZ IP Addr
Service = http
Action = accept

Any traffic now destined for External IP Addr 2 never gets Natted and falls to the cleanup security rule.

Any ideas on why this does not work now?

[MarioL]

Are you using manual or automatic NAT? If you are using manual, consider adding the valid IP 2 on the rule destination as well.

[donshoutarp]

Thanks, adding the public address to the security rule worked.