We have a proxy server in our internal network and I want to redirect all internet http requests to a web server in local network. It'll be like a Network Billboard that says "No direct connection is available. Set up your proxy etc." For example:

  • A user starts the computer
  • Opens the browser
  • Tries to open www.google.com
  • Should see web server output on local network
  • Tries another web site on internet
  • Should see web server output on local network
  • Sets up proxy
  • Tries to connect to a web site
  • Web site should be loaded

I have added a simple manual NAT rule to address translation in Checkpoint firewall but it simply does not work. Here is my address translation rule

Source Destination Service T.Source T.Destination T.Service

Then when I ping A_GOOGLE_IP, replies come from INT_WEB_SRV, as I expected. However, when I try to connect A_GOOGLE_IP from browser (http://A_GOOGLE_IP), no replies come from SYN_SENT and falls into timeout. When I look at the firewall log of INT_WEB_SRV, I can see the incoming connection requests from MY_PC is accepted and NO denies. By the way, there is no problem to see INT_WEB_SRV (http://INT_WEB_SRV) from browser.

My understanding is, my NAT rule at checkpoint NGX R60 does not include return packets. I definitely need some help.

James O'Gorman
  • 5,249
  • 2
  • 23
  • 28

3 Answers3


When running into NAT issues, I always start off by opening a couple SSH sessions and doing tcpdumps on both internal and external interfaces.

something like:

tcpdump -i eth0 proto ICMP


tcpdump -i eth0 host A_GOOGLE_IP

and watch to see what the Nat'd IP address is. That should at least give you somewhere to start!

  • 2,886
  • 17
  • 26

The return traffic in checkpoint should be natted. Is the traffic showing up in the server log on the webserver? Also, it's worth using fw monitor, to make sure checkpoint is correctly natting, and passing the traffic both ways, with something like

fw monitor -e 'accept (src=<host address> and dport=80) or (dst=<host address> and sport=80);'

This should show 4 lines for each packet, including pre, and post NAT addresses.

  • 5,777
  • 1
  • 27
  • 40

If the internal server is in the same subnet as the client, you need to do SNAT as well as DNAT, because now, here's how it works.

iptables -t nat -A PREROUTING -i LAN_IFACE -d A_GOOGLE_IP -j DNAT --to-destination INT_WEB_SRV
  • Client PC sends TCP SYN to A_GOOGLE_IP
  • Router DNATs it to INT_WEB_SRV
  • INT_WEB_SRV sees a request coming from a LAN IP and replies directly
  • The client receives a reply from INT_WEB_SRV IP and not A_GOOGLE_IP

If you SNAT, then it works like this:

iptables -t nat -A PREROUTING -i LAN_IFACE -d A_GOOGLE_IP -j DNAT --to-destination INT_WEB_SRV
iptables -t nat -A POSTROUTING -s LAN_RANGE/mask -d INT_WEB_SRV -j SNAT --to-source ROUTER_IP
  • Client PC sends TCP SYN to A_GOOGLE_IP
  • Router DNATs it to INT_WEB_SRV replacing the source IP with its own IP
  • INT_WEB_SRV sees a request coming from the router and replies to it.
  • Routers DNATs the packet to client PC and replaces the source IP with A_GOOGLE_IP
  • The client thinks it connected to A_GOOGLE_IP

However, if all you want to do is force proxy usage on everybody, just DNAT all outgoing HTTP connections to the proxy server (you will get what is called a transparent proxy) and the clients won't need to change the settings on their computers.

  • 433
  • 1
  • 4
  • 13