Thursday, January 27, 2011

Checkpoint UTM Firewall Clusters Part 3 - Overloading NAT and PAT, Proxy Arp

   In this instance, we're going to cover a 1 to 1 NAT (a bi-NAT) and an overload of a single port for the same address. Refer to the first part in this series to get a better idea of the topology:
Checkpoint UTM Firewall Clusters Part 1

In this case, we have a web host ( and an SSH server ( in the DMZ. We want to create a 1 to 1 NAT (outside address 10.10.80) for the web host, but we also want port 3322 on the outside address to NAT to port 22 on the SSH server. Here's a diagram:

You will note that I left out some of the infrastructure in this drawing - simply for clarity.
    Anyway, we should create a host node for the web server, set up the NAT, and then create the NAT rule to override port 3322 on the same external address.

1. Create the node:

2. Now, set the NAT on external address

3. Now, create an override rule for the SSH server (we just created a node for the external address, the internal ssh address, as well as a new TCP object - port 3322):
 Here's the override:

4. We'll follow up by adding a rule to allow traffic in on the firewall. This requires 1 rule:

That's basically it. If you do not have a static entry, but have a bunch of PATs, you'll notice that the firewall will not automatically proxy arp for the external address. This can be fixed by using the method above for a single 1 to 1  NAT or by editing local.arp on each firewall. This file is in $FWDIR.

No comments: