CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Many to one NAT - Public to Internal

  1. #1
    Join Date
    2014-07-14
    Posts
    12
    Rep Power
    0

    Default Many to one NAT - Public to Internal

    Hi,

    I have several public addresses that I want to NAT to the same single internal IP.

    Basically, I need it to work like many-to-one, like hide NAT in reverse using PAT.

    I have tried setting up manual nat changing the destination address of the translated packet but this does not work.

    I'm not even sure if this is possible.

    Would appreciate any advice on how I can do this.

    Many Thanks

    Paul

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Many to one NAT - Public to Internal

    If you know the source IP, then you can Hide NAT it..

    You can not Hide NAT 'Any' Source.


    OutsideIP/OutsideNetwork -> PublicServerIP -> Any ; InternalIP(Hide) -> PrivateServerIP (or Original) -> Original

    You'll need to local.arp (GAIA WebUI / ARP / Proxy ARP) the InternalIP, or if there is a router in between, route the InternalIP to the firewall directly..

    local.arp requires a change to Global Properties so the local.arp is read in during a policy install.

  3. #3
    Join Date
    2014-07-14
    Posts
    12
    Rep Power
    0

    Default Re: Many to one NAT - Public to Internal

    Thanks for your reply, apologies for not getting back sooner.

    Unfortunately, the source address would be any.

    Basically, we have 10 public address that we would to NAT inbound to a single address of a security appliance in the DMZ of the firewall.

    Currently this is done on a cisco router which is managed by us and sits in front of the Checkpoint. However we have moved to a new service but has a managed router so we now need to move the NAT across to the Checkpoint.

    Is there no way of doing this on the Check point without having a static one-one NAT ?


    Thanks

    Paul

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: Many to one NAT - Public to Internal

    You would configure Manual Static NAT Rules. Remember that when you specify Manual Rules you can specify a Service. Hide NAT is for Translating the Source IP not the Destination IP so would have to use Static NAT, as you need to translate the Destination inbound from the Internet.

    So would look like

    Inbound

    Source = Any, Dst = Public-IP-1, Srv = Any, xlateSrc = Origional xlateDst = Internal-IP-1, xlate Srv = Origional
    Source = Any, Dst = Public-IP-2, Srv = Any, xlateSrc = Origional xlateDst = Internal-IP-1, xlate Srv = Origional
    Source = Any, Dst = Public-IP-3, Srv = Any, xlateSrc = Origional xlateDst = Internal-IP-1, xlate Srv = Origional

    That way inbound traffic arriving on Public IP's are translated to the same Internal IP and doesn't change the service port. As these are Manual NAT then would need to ensure that either A) the upstream router routes these Public IP to your Check Point or B) the Check Point is configured for Proxy ARP to respond to the 10 Public IP addresses.

    Outbound

    Source = Internal-IP-1, Dst = Any, Srv = ftp xlate Src = Public-IP-1, xlate Dst = Origional, xlate Srv = Origional
    Source = Internal-IP-1, Dst = Any, Srv = http xlate Src = Public-IP-2 xlate Dst = Origional, xlate Srv = Origional
    Source = Internal-IP-1, Dst = Any, Srv = smtp xlate Src = Public-IP-3 xlate Dst = Origional, xlate Srv = Origional

    For traffic initiated from your Internal Server then this would translate ftp to Public-IP-1, http to Public-IP-2, smtp to Public-IP-3 etc.

    However seem's incredibly wasteful of IP addresses to do this. The Services for ALL 10 IP would need to be different so that could translate to a different Public IP however you could easily do this with a single Public IP as the Services don't overlap. It is possible but really don't see why you would need to do this.

    If two Public IP offer the same service then the Internal IP as is the same all the time has to be able to distinguish between the traffic which it won't be able to based on IP address and Service Port as would be the same, so using multiple public ip makes no difference.

  5. #5
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    6

    Default Re: Many to one NAT - Public to Internal

    I would concur with mcnallym. why not just use one IP address and let external users access multiple application servers. The gateway can use the dst port to send the traffic to the correct server. For example; FTP server (port 21), SMTP server (port 25) and an HTTP server (port 80). Of course you will need to create manual NAT rules for the different services but you'd have to do this anyway for each public address so may as well save IPs in the process

Similar Threads

  1. Manual NAT - one internal IP to multiple public IP addresses
    By anh2lua in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2011-11-09, 13:13
  2. Static NAT (Checkpoint is using public IP to connect to internal host)
    By carpediem in forum NAT (Network Address Translation)
    Replies: 4
    Last Post: 2009-02-20, 12:27
  3. Natting Public DMZ Traffic through internal network?
    By cpadmin13 in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2008-02-05, 01:57
  4. VPN and NAT of internal rfc1918 to public
    By speculatrix in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2006-11-27, 16:05
  5. Public IP Internal Network and B2B VPN
    By runcmd in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2006-10-09, 16:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •