Source Port NATing

[pinoo]

Can you modify the src port on a Check Point GW, so that any traffic say from src A to dst B on port 23, will be seen by the destination B server as always coming from src port 5000 from A? So essentially, I want to perform src port NATing.

Is this at all possible, and if so, how is this performed?

Thanks!

[gavvys]

Hi
Yes that is possible in Checkpoint.
You can NAT anything, whether its port or IP, In the NAT traversal you can make the NATing rules there.

I hope you are clear with steps.
Reagrds
Ranjit

[pinoo]

well no that is why i asked - what steps are required to have this working as i described above? the issue here is performing source port nating, not destination port so it's non-standard.

As i have smtp port object already defined, do i have to create a new smtp object and go to advanced settings and set the source port option to my defined port, then use this object in the translated service object field in the address translation tab?

if not please explain how to do this. i'm sure other will find this useful.

[mcnallym]

You have to write the NAT rule manually rather then relying on the AutoNAT rules.

In the Address Translation section all that you do is specify the source and destination, along with the service coloum and then specify the xlate src that you want to see it leaving on, keep the destination as original and then set the xlate service to be tcp5000. You may need to define the xlate service.

[pinoo]

But that would translate the destination port, not the actual source port that i want to see the traffic coming from

[mcnallym]

You will have SrcA to DstB on port 23 leaving the client.

At the gateway it will nat the SrcA to a public Address so can route across the Internet. It then xlates the service to port 5000 so that DstB sees the traffic arrive on port5000.

If this isn't what talking about then what are you talking about trying to do. Are you trying to say that the telnet leaves so that it arrives on port23 to a telnet server but is seen coming form port5000.

You won't get that to happen, plus wouldn't it break the service you are trying to use.

[pinoo]

"telnet leaves so that it arrives on port23 to a telnet server but is seen coming form port5000." - yes this is exactly what im referring to. A weird application we're using requires that the source port for traffic is seen coming from say port 5000. So the requirement is to allow traffic from srcA destined to destB so that the src port appears as 5000. Is this at all possible on checkpoint?

[MarioL]

AFAIK you can't change the source port, only the destination port.

[mcnallym]

If they run a weird requirement like that then why don't they supply a telnet client so that this is done automatically at the client, ie the client send with a src port of 5000 and dst of 23