CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 14 of 14

Thread: NAT rule 0

  1. #1
    Join Date
    2006-12-11
    Posts
    15
    Rep Power
    0

    Default NAT rule 0

    Can anyone elaborate on the specifics behind "additional NAT rule 0"? Or point me to any docs concerning this? All my searches have turned up nothing on "NAT rule 0". Thanks,

  2. #2
    Join Date
    2007-04-10
    Location
    India
    Posts
    232
    Rep Power
    14

    Default Re: NAT rule 0

    According to me NAT 0 specifies that when you do not want to NAT the traffic.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: NAT rule 0

    Seems like accesslimiter comes from a Cisco environment. NAT 0, identity NAT,
    nat exemption, Port Address Translation (PAT), etc...

    Just one thing to keep in mind, checkpoint will do:

    1- NAT
    2- Encrypt
    3- route

    cisco will do the following:

    1- NAT
    2- route
    3- encrypt

  4. #4
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: NAT rule 0

    Quote Originally Posted by cciesec2006 View Post
    Just one thing to keep in mind, checkpoint will do:

    1- NAT
    2- Encrypt
    3- route
    True for "Domain based VPN" for "Route Based VPN" 2 and 3 are switched.

  5. #5
    Join Date
    2006-12-11
    Posts
    15
    Rep Power
    0

    Default Re: NAT rule 0

    No I am pretty much a CP guy, 9 years and running. CP logs will show you NAT rule 0 entries and I am trying to figure out what circumstances would cause a NAT rule 0, no docs that I can find on this. I do see this with VPN routing and when selcting within a community not to NAT between enc domains. I also see this with no VPN, recently I ran into case a routing mistake which in turn was throwing up the "addtional NAT rule 0".

  6. #6
    Join Date
    2010-08-10
    Posts
    6
    Rep Power
    0

    Default Re: NAT rule 0

    4 years after the beginning of this thread, and I am finding there is still a lack of info on "Nat Rule 0"

    I have a customer who's vpn works find, except for traffic originating from the remote side is hide Natted with Nat rule 0 behind a completely arbitrary address. So the return packets never even return to the firewall.

    i.e. inbound packet ( src 10.6.0.100 dst 10.2.0.3 )
    is natted by rule 0 to ( src 10.2.0.8 dst 10.2.0.3 ) and the firewalls IP on the subnet is 10.2.0.254
    so the return packets are sent to 10.2.0.8 which is a computer in the internal network. (what use is that)

    I have checked all the settings I can humanly think of. Disable nat inside vpn comunity. Check!
    No nat rules between the two networks. Check!

    But I cannot find a snifter on how to tell checkpoint to stuff its "Nat Rule 0" somewhere where it can never bother anyone again.


    Any hint anyone?

    Thanks
    Wirefall

  7. #7
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    16

    Default Re: NAT rule 0

    Quote Originally Posted by WireFall View Post
    4 years after the beginning of this thread, and I am finding there is still a lack of info on "Nat Rule 0"
    Yeah, sad isn't it... and I know the OP personally. I credit him for my success in learning about CP products nearly 100% as my sensai. So if he's still been unable to obtain this info I fear for the rest of us.
    There's no place like 127.0.0.1

  8. #8
    Join Date
    2010-10-11
    Posts
    20
    Rep Power
    0

    Default Re: NAT rule 0

    Quote Originally Posted by cciesec2006 View Post
    Seems like accesslimiter comes from a Cisco environment. NAT 0, identity NAT,
    nat exemption, Port Address Translation (PAT), etc...

    Just one thing to keep in mind, checkpoint will do:

    1- NAT
    2- Encrypt
    3- route

    cisco will do the following:

    1- NAT
    2- route
    3- encrypt
    Cisco will not NAT before it routes (if you are talking about Inside to Outside)

    Also, CheckPoint should route before it NATs also.

    Checkpoint will check to see if the packet is part of an established connection, check IP Options, Perform anti spoofing, checks properties and the rulebase and then the OS routes the packet

  9. #9
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,010
    Rep Power
    16

    Default Re: NAT rule 0

    fwiw, I checked on couple of systems and Nat rule number 0 for me occurs only for traffic related to implied rules (depending on setup icmp, FW-1 related services etc).
    As previously stated, no actual NAT is taking place.

  10. #10
    Join Date
    2010-10-11
    Posts
    20
    Rep Power
    0

    Default Re: NAT rule 0

    I'm not sure I understand the question;

    CheckPoint doesnt have any implied NAT rules. NAT 0 (aka NAT excemption) is Cisco Terminology. So when you say your NAT 0 rule applies to.. x.. then this would depend on where you configured it in the rulebase, most of the time this is a local lan subnet to a local lan subnet and is put at the end of the rule list.

    Most likely what you are seeing is that there is no actually translation configured for the traffic going through the firewall for the stuff hitting your implied security rules.. but this would likely be the Cluster Members to a Multi cast address and the MGR to all CheckPoint installs on CPRID.

    It just sounds like this is working as expected but please, if you can, clarify the issue.

  11. #11
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: NAT rule 0

    The only NAT Rule 0 I'm aware of is inbound/outbound for Clusters.

    For example, a connection initiated from a cluster member will be NAT'd behind the Cluster IP.
    A connection initiatefd to a cluster IP will be NAT'd to the member's physical IP.

    You can observe this by attempting a DNS lookup from a standby HA clusterXL member. The request will timeout, because the DNS server saw the packet source IP was the Cluster IP. Which was, of course, routed back to the Active member.

  12. #12
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    16

    Default Re: NAT rule 0

    There is at least one additional "secret NAT rule" that I discovered a couple of years ago. Some (all?) SIC connections transiting a gateway get automatic hide NAT behind the gateway's IP address. I suspect this was added in to prevent some technical support calls.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  13. #13
    Join Date
    2013-06-28
    Posts
    1
    Rep Power
    0

    Default Re: NAT rule 0

    This is a implied rule.

    Check if Gateway properties > NAT "Hide Internal networks behind gateway's external IP" is enable.
    Everton Vieira
    CCNP, CCSE

  14. #14
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: NAT rule 0

    Coral, look out! WALKERS!

Similar Threads

  1. How to add another ftp rule?
    By infooverflow in forum Check Point UTM-1 Appliances
    Replies: 6
    Last Post: 2009-07-27, 01:39
  2. HELP - Rule 998
    By wiz999 in forum SmartView Tracker
    Replies: 4
    Last Post: 2009-02-16, 12:10
  3. Tracker Rule/Current Rule Number
    By switzer in forum SmartView Tracker
    Replies: 5
    Last Post: 2008-01-09, 14:57
  4. Rule 995
    By ashman74 in forum Miscellaneous
    Replies: 15
    Last Post: 2006-10-21, 16:40
  5. Cannot install a rule with resources on one of its sources in Rule n
    By roadrunner in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-14, 12:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •