Checkpoint Firewall NG hairpin NAT

Checkpoint Checkpoint Firewall Networking

See this article for NAT configuration.

Hairpin NAT configuration:

The above (see the NAT howto) all works very well if your 192.168.1.x hosts sit in a DMZ on the firewall, however!

If you want to direct traffic to a host on the LAN segment, you need some additional NAT rule trickery.

You need to create a so called ‘hairpin’ NAT rule:

NAT rules:

1) Do not translate between these networks: (Address translation tab)

Checkpoint do not translate rules

2) Hairpin NAT (Address translation tab)

Checkpoint Hairpin NAT

3) Inbound NAT rules (Address translation tab)

Checkpoint Inbound NAT

4) Hide NAT rules: (Address translation tab)

Checkpoint hide NAT

5) Inbound rules: (Security tab)

Checkpoint inbound rules