How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk110019
Technical Level
Product	Quantum Security Gateways, ClusterXL, Cluster - 3rd-party, VSX
Version	R80.40, R81, R81.10, R81.20
Platform / Model	All
Date Created	16-Oct-2016
Last Modified	20-Dec-2022

Solution

Table of Contents:

Background
Introduction to NAT Loopback
How to configure NAT Loopback

Background

This article describes how to set up NAT Loopback (also called Hairpin NAT, or NAT Reflection) on a Check Point Security Gateway.

This configuration has been tested and approved for Gaia OS R76 / R77 and higher, but should work on lower Gaia OS versions, as well.

Introduction to NAT Loopback (Hairpin NAT / NAT Reflection)

(1) Consider the following network topology (based on http://wiki.mikrotik.com/wiki/Hairpin_NAT):

where:

Device IP Address Description

Client #1 2.2.2.2 Client that connects from the public network to the Web Server at its Public IP address 1.1.1.1.

Security Gateway 1.1.1.1 (public)
192.168.1.1 (private) Performs NAT for Web Server - hides the Web Server's private IP address behind the public IP address.

Switch --- Connects devices on the internal network to the Security Gateway.

Web Server 192.168.1.2 Serves the data requested by the Clients.
Server is NATed behind the Security Gateway.

Client #2 192.168.1.10 Client that connects from the internal network to the Web Server at its Public IP address 1.1.1.1.

(2) Connection flow from Client #1 on public network to the Web Server:

Client #1 sends a request packet with a Source IP address 2.2.2.2 to a Destination IP address 1.1.1.1 (on TCP port 80) to request some web resource:

Source / Destination IP Address

Source IP address 2.2.2.2

Destination IP address 1.1.1.1
The Security Gateway performs NAT on the packet and changes the Destination IP address from 1.1.1.1 to Web Server's private IP address 192.168.1.2 (the source IP address 2.2.2.2 is not changed):

Source / Destination IP Address
Before NAT IP Address
After NAT

Source IP address 2.2.2.2 2.2.2.2

Destination IP address 1.1.1.1 192.168.1.2
The Web Server sends a reply packet with a Source IP address 192.168.1.2 to a Destination IP address 2.2.2.2:

Source / Destination IP Address

Source IP address 192.168.1.2

Destination IP address 2.2.2.2
The Security Gateway determines that the packet is part of a previous connection and performs NAT on the packet to change the Source IP address from Web Server's private IP address 192.168.1.2 to its public IP address 1.1.1.1 (the destination IP address 2.2.2.2 is not changed):

Source / Destination IP Address
Before NAT IP Address
After NAT

Source IP address 192.168.1.2 1.1.1.1

Destination IP address 2.2.2.2 2.2.2.2
Client #1 receives the reply packet it expects, and the connection is established.

The following NAT rules will perform the required NAT:

In SmartConsole R80 and higher:

No.	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
1	Host object with Client #1's Public IP 2.2.2.2	Host object with Web Server's Public IP 1.1.1.1	`http`	Host object with Client #1's Public IP 2.2.2.2	Host object with Web Server's Private IP 192.168.1.2	`= Original`	Security Gateway object
2	Host object with Web Server's Private IP 192.168.1.2	Host object with Client #1's Public IP 2.2.2.2	`http`	Host object with Web Server's Public IP 1.1.1.1	`= Original`	`= Original`	Security Gateway object

In SmartDashboard R77.X and lower:

No.	Original Packet			Translated Packet			Install On
No.	Source	Destination	Service	Source	Destination	Service	Install On
1	Host object with Client #1's Public IP 2.2.2.2	Host object with Web Server's Public IP 1.1.1.1	`http`	Host object with Client #1's Public IP 2.2.2.2	Host object with Web Server's Private IP 192.168.1.2	`= Original`	Security Gateway object
2	Host object with Web Server's Private IP 192.168.1.2	Host object with Client #1's Public IP 2.2.2.2	`http`	Host object with Web Server's Public IP 1.1.1.1	`= Original`	`= Original`	Security Gateway object

(3) Connection flow from Client #2 on internal network to the Web Server:

Client #2 sends a request packet with a Source IP address 192.168.1.10 to a Destination IP address 1.1.1.1 (on TCP port 80) to request some web resource:

Source / Destination IP Address

Source IP address 192.168.1.10

Destination IP address 1.1.1.1

Since the Destination IP address 1.1.1.1 is not on a directly connected network, Client #2 sends the request to its Default Gateway - the Security Gateway.
The Security Gateway performs NAT on the packet and changes the Destination IP address from 1.1.1.1 to Web Server's private IP address 192.168.1.2 (the source IP address 192.168.1.10 is not changed):

IP Address IP Address
Before NAT IP Address
After NAT

Source IP address 192.168.1.10 192.168.1.10

Destination IP address 1.1.1.1 192.168.1.2
The Web Server creates a reply packet with a Source IP address 192.168.1.2 and Destination IP address 192.168.1.10:

Source / Destination IP Address

Source IP address 192.168.1.2

Destination IP address 192.168.1.10

Since the Destination IP address 192.168.1.10 is on a directly connected network, the Web Server does not send the reply packet back to the Security Gateway, but sends it back directly to Client #2.
Client #2 receives the reply packet, but discards it because it expects a packet back from IP address 1.1.1.1, and not from IP address 192.168.1.2.

As far as the client is concerned, the reply packet is invalid and not related to any connection the client previously attempted to establish.