Manual NAT to private network

[antonyso88]

Hi,

I am using R55P.

I need to do a manual Source NAT as my internal is conflict with the remote vendor network. Here is the draft connection.

Internal (10.0.0.X) - Checkpoint - External (192.168.0.X) - {Network Cloud} - Remote Vendor Network.

My 10.0.0.X is conflict with the remote vendor network. And they ask me to SNAT the 10.0.0.X to 172.0.0.X.

The question is can i use manual NAT to do it? I tried to do it but i can't add the proxy arp.

Any idea?

[sebastan_bach]

hi yes can use manual nat. rather than adding proxy arp entries on the firewall add a route on the outside router for the natted address pointing to the external interface of the firewall.

hope this helps.

regards

sebastan

[Nisha George]

Hi,
This question may not be related to this thread.. But im helpless to open a new thred.. so asking my question here..

Im configuring CP - NGX - R65

Do anyone know how and why 2 NAT rules are created when a network object is enabled with NAT(static or hide behind gateway or hide behind ip).
For ex., under network objects -> networks -> add network --> testing, 192.168.0.0 mask 255.255.255.0 and
NAT --> hide behind gateway.

Now in smart dashboard, 2 NAT rules are shown for the network object - > testing
NAT RULE 1 === 192.168.0.0 192.168.0.0 any original original original
NAT RULE 2 === 192.168.0.0 any any <hiden ip> original original

Could you please let me know how can we see all these installed NAT rules in MDS thru some opsec client tools?( Im trying to retrieve all the NAT rules thru opsec API's but NAT RULE 1 is not able to retrieve)

Plz reply me if you have any info..
Thanks a lot!

[vzxdyy]

The first rule for an automatic nat rule is basically saying don't translate traffic destined for same network which is 192.168.0.0. 2nd rule is saying nat everything else as firewall gateway IP.

[antonyso88]

If i won't do the proxy arp in router, i use checkpoint to do it. Is it possible?

[sebastan_bach]

yes it is possible by adding a arp entry in the checkpoint firewall for the natted address and the mac address of the external interace.

but generally poeple find it more easy of adding a route on the outside router for the natted address pointing to the external interface of the firewall as the next-hop.

regards

sebastan

[Nisha George]

>>>>>>The first rule for an automatic nat rule is basically saying don't translate traffic destined for same network which is 192.168.0.0. 2nd rule is saying nat everything else as firewall gateway IP.

Now I understood the behavior of the first rule now!
1. But when i install these NAT rules on firewall, how to make sure that this rule and how many more rules are pushed into the specific firewall?
2. Im trying to get the NAT rules configured in checkpoint MDS thru opsec library, during that time the rule-1 is not returned by the checkpoint.
So it looks like a bug or any insight on this from your side?

Thanks a ton!

[antonyso88]

I tried to do the Manual NAT + proxy arp as mentioned. But it's not allowed in my nokia box when add the proxy arp. It said "The network segment is not exist"

[mkikuda]

It seems that the IP address you're trying to proxy arp is not in the same subnet of the firewall interfaces.

[antonyso88]

That's exactly the subnet not in firewall. How can i solve it?

[mcnallym]

Add a secondary IP address in Voyager to the Nokia's external interface, and then use manual proxy arp.

This works for me.