 | ||
 Defined NAT rules for inside a FW Topology? | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-12-13 | |||
| |||
 Defined NAT rules for inside a FW Topology? All- Let me first being by explaining our setup at numerous sites in our R60 HFA05 VPN Meshed Community on mainly Nokia platforms: FW Interface 1 = Outside (Real World Routable IP) FW Interface 2 = Inside Server Network (Class C, Real World Routable IP's) FW Interface 3 = Inside User Network (NAT'ed Addresses) FW Interface 4 = Inside User Network 2 (NAT'ed Addresses) What we are seeing is that any traffic from Interface 3 or 4 (our NAT'ed interfaces) to Interface 2 (our RW routable interface) is being NAT'ed, which seems very odd to me. We first noticed this by way of a DHCP relay setup to our Server Network; clients' DHCP requests were being NAT'ed by the FW and thus generating the "Connection contains real IP of NATed address" error. As soon as we put in a NAT rule of Any to DHCP Server service of bootp/bootpc keep Original - Original - Original everything started working properly as expected. My question is, why would this request be NAT'ed in the first place? I would assume since this is an internal request inside the topology of the FW this request would not be NAT'ed. Am I correct in thinking this? Or do I need to specifically set a NAT rule for all of my Firewalls stating that from my Local NAT'ed interfaces to the Server Network interface to perform no NAT? Regards, eyunghans  |
| 2007-12-13 | |||
| |||
| Re: Defined NAT rules for inside a FW Topology? No your understanding of NAT on Check Point is not correct. I suspect that you have objects for your networks on interface 3 and 4 that have Automatic NAT rule. This will be Src = Internal_Net_Interface3 Dst = Any Xlate SRC = Hide_NAT Xlate Dst = Original Therefore when you go from your internal network to Interface 2 network this NAT rule is matched as that network is matched upto ANY destination. When you define the No NAT rule above this then it matches that rule and says to keep as original. |
| 2007-12-13 | |||
| |||
| Re: Defined NAT rules for inside a FW Topology? mcnallym- You are correct, we do have Auto Hide NAT rules for those networks applied... which does explain this behavior in your scenario. I should have also mentioned however that in our Meshed Community we have specified that NAT is disabled. Since in the topology I proposed earlier Interface 2 is inside our Community, wouldn't this no NAT rule take precedence? Or does that Community rule only apply when the address is outside the local topology? That is what it currently seems as though happens; this would just be a confirmation. Thanks for the quick replies! eyunghans |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
