Posts Tagged ‘nat’

Hide NAT with Any as a Source in Checkpoint

Thursday, April 4th, 2013

As you know, adding a hide NAT rule with Any as a Source is not possible in Checkpoint (at least with R71.30). So the rule below will generate an error during validation:

20130403-hide-nat

Error:

  1. Verifier warnings: Invalid <Any> in Source of Address Translation Rule. <Any> is valid only if the matching Translated column is <Original>.

which is a shame, since it’s a perfectly fine requirement for asymmetric routing environments.

The fix (call it a “hack”) is to add two network objects: 0.0.0.0/128.0.0.0 and 128.0.0.0/128.0.0.0, group them and place created group as a Source. That way the policy will be compiled and installed without any errors and you will still have “Any” as a Source because these two networks include any possible IP address.

According to sk21751 this is by design. It’d be interesting to read though about the reasons behind (performance may be, cause you need to maintain a massive translation table?).

Selective NAT with iptables

Thursday, January 6th, 2011

Here is a quick note on how to exclude one particular network from the NAT while the rest to be remained NATed. Done on Ubuntu with iptables running.

  1. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

In case you need one more network to be excluded:

  1. iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j RETURN
  2. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

Routing networks differently on a multihomed Cisco router with NAT

Monday, July 21st, 2008
  • Cisco 3745 with three network interfaces: one Serial (SER0/0) and two FastEthernet (ETH0/0, ETH0/1)
  • Provider A — primary ISP providing satellite link (SER0/0).
  • Provider B — secondary ISP with fiber link (ETH0/0).
  • Site X — our LAN (ETH0/1)

(more…)