Support Center > Search Results > SecureKnowledge Details
How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway
Solution

Table of Contents:

  • Background
  • Introduction to NAT Loopback
  • How to configure NAT Loopback

 

Background

This article describes how to set up NAT Loopback (also called Hairpin NAT, or NAT Reflection) on a Check Point Security Gateway.

This configuration has been tested and approved for Gaia OS R76 / R77 and above, but should work on lower Gaia OS versions, as well.

 

Introduction to NAT Loopback (Hairpin NAT / NAT Reflection)

(1) Consider the following network topology (based on http://wiki.mikrotik.com/wiki/Hairpin_NAT):

where:

Device IP Address Description
Client #1 2.2.2.2 Client that connects from the public network to the Web Server at its Public IP address 1.1.1.1.
Security Gateway 1.1.1.1 (public)
192.168.1.1 (private)
Performs NAT for Web Server - hides the Web Server's private IP address behind the public IP address.
Switch --- Connects devices on the internal network to the Security Gateway.
Web Server 192.168.1.2 Serves the data requested by the Clients.
Server is NATed behind the Security Gateway.
Client #2 192.168.1.10 Client that connects from the internal network to the Web Server at its Public IP address 1.1.1.1.

(2) Connection flow from Client #1 on public network to the Web Server:

  1. Client #1 sends a request packet with a Source IP address 2.2.2.2 to a Destination IP address 1.1.1.1 (on TCP port 80) to request some web resource:

    Source / Destination IP Address
    Source IP address 2.2.2.2
    Destination IP address 1.1.1.1
  2. The Security Gateway performs NAT on the packet and changes the Destination IP address from 1.1.1.1 to Web Server's private IP address 192.168.1.2 (the source IP address 2.2.2.2 is not changed):

    Source / Destination IP Address
    Before NAT
    IP Address
    After NAT
    Source IP address 2.2.2.2 2.2.2.2
    Destination IP address 1.1.1.1 192.168.1.2
  3. The Web Server sends a reply packet with a Source IP address 192.168.1.2 to a Destination IP address 2.2.2.2:

    Source / Destination IP Address
    Source IP address 192.168.1.2
    Destination IP address 2.2.2.2
  4. The Security Gateway determines that the packet is part of a previous connection and performs NAT on the packet to change the Source IP address from Web Server's private IP address 192.168.1.2 to its public IP address 1.1.1.1 (the destination IP address 2.2.2.2 is not changed):

    Source / Destination IP Address
    Before NAT
    IP Address
    After NAT
    Source IP address 192.168.1.2 1.1.1.1
    Destination IP address 2.2.2.2 2.2.2.2
  5. Client #1 receives the reply packet it expects, and the connection is established.

The following NAT rules will perform the required NAT:

  • In SmartConsole R80 and above:

    No. Original
    Source
    Original
    Destination
    Original
    Services
    Translated
    Source
    Translated
    Destination
    Translated
    Services
    Install On
    1 Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Security
    Gateway's
    Private IP
    192.168.1.1
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    2 Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    http Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    = Original = Original Security
    Gateway
    object
  • In SmartDashboard R77.X and lower:

    No. Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    1 Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    2 Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    http Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    = Original = Original Security
    Gateway
    object

(3) Connection flow from Client #2 on internal network to the Web Server:

  1. Client #2 sends a request packet with a Source IP address 192.168.1.10 to a Destination IP address 1.1.1.1 (on TCP port 80) to request some web resource:

    Source / Destination IP Address
    Source IP address 192.168.1.10
    Destination IP address 1.1.1.1
    Since the Destination IP address 1.1.1.1 is not on a directly connected network, Client #2 sends the request to its Default Gateway - the Security Gateway.
  2. The Security Gateway performs NAT on the packet and changes the Destination IP address from 1.1.1.1 to Web Server's private IP address 192.168.1.2 (the source IP address 192.168.1.10 is not changed):

    IP Address IP Address
    Before NAT
    IP Address
    After NAT
    Source IP address 192.168.1.10 192.168.1.10
    Destination IP address 1.1.1.1 192.168.1.2
  3. The Web Server creates a reply packet with a Source IP address 192.168.1.2 and Destination IP address 192.168.1.10:

    Source / Destination IP Address
    Source IP address 192.168.1.2
    Destination IP address 192.168.1.10
    Since the Destination IP address 192.168.1.10 is on a directly connected network, the Web Server does not send the reply packet back to the Security Gateway, but sends it back directly to Client #2.
  4. Client #2 receives the reply packet, but discards it because it expects a packet back from IP address 1.1.1.1, and not from IP address 192.168.1.2.

    As far as the client is concerned, the reply packet is invalid and not related to any connection the client previously attempted to establish.

 

How to configure NAT Loopback (Hairpin NAT / NAT Reflection)

To resolve the issue with the traffic flow between Client #2 on an internal network and the Web Server, an additional NAT rule needs to be added on the Security Gateway to perform NAT on this traffic as on the traffic between Client #1 on the public network and the Web Server.

The following NAT rules will perform the required NAT:

  • In SmartConsole R80 and above:

    No. Original
    Source
    Original
    Destination
    Original
    Services
    Translated
    Source
    Translated
    Destination
    Translated
    Services
    Install On
    3 Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Security
    Gateway's
    Private IP
    192.168.1.1
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    4 Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    http Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    = Original = Original Security
    Gateway
    object
  • In SmartDashboard R77.X and lower:

    No. Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    3 Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Security Gateway's
    Private IP
    192.168.1.1
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    4 Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    http Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    = Original = Original Security
    Gateway
    object

This is called - among other terms - Hairpin NAT because the traffic flow from internal clients enters and leaves the Security Gateway through the same interface, which when drawn looks like a hair pin.

 

We can combine and simplify all the above NAT rules for both Clients:

  • In SmartConsole R80 and above:

    No. Original
    Source
    Original
    Destination
    Original
    Services
    Translated
    Source
    Translated
    Destination
    Translated
    Services
    Install On
    1 Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    2 Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Security
    Gateway's
    Private IP
    192.168.1.1
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    3 Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    * Any http Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    = Original = Original Security
    Gateway
    object
  • In SmartDashboard R77.X and lower:

    No. Original Packet Translated Packet Install On
    Source Destination Service Source Destination Service
    1 Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Client #1's
    Public IP
    2.2.2.2
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    2 Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    http Host object
    with
    Client #2's
    Private IP
    192.168.1.10
    Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    = Original Security
    Gateway
    object
    3 Host object
    with
    Web Server's
    Private IP
    192.168.1.2
    Any http Host object
    with
    Web Server's
    Public IP
    1.1.1.1
    = Original = Original Security
    Gateway
    object

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment