https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142386#M25285 <P>Hi All,</P><P>&nbsp;</P><P>Looks like a simple topic but still can not confirm it.</P><P>&nbsp;</P><P>Assuming I have "Automatic address translation" enabled in the object definition with "hide behind the gateway" option. Now, I have 3 interfaces - Internal, External and secondary Internal interface.</P><P>Does this nat config apply for the traffic between two internal interfaces? Or hide nat always apply only when traffic exits via the External interface.</P><P>&nbsp;</P><P>kind regards,</P><P>Tomasz</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Feb 2022 09:56:46 GMT TT 2022-02-24T09:56:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142386#M25285 <P>Hi All,</P><P>&nbsp;</P><P>Looks like a simple topic but still can not confirm it.</P><P>&nbsp;</P><P>Assuming I have "Automatic address translation" enabled in the object definition with "hide behind the gateway" option. Now, I have 3 interfaces - Internal, External and secondary Internal interface.</P><P>Does this nat config apply for the traffic between two internal interfaces? Or hide nat always apply only when traffic exits via the External interface.</P><P>&nbsp;</P><P>kind regards,</P><P>Tomasz</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Feb 2022 09:56:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142386#M25285 TT 2022-02-24T09:56:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142398#M25286 <P>Outgoing traffic from that host/network will only be NAT-ed when being sent out through the external interface.</P> Thu, 24 Feb 2022 11:22:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142398#M25286 _Val_ 2022-02-24T11:22:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142399#M25287 <P>I'm assuming you are talking about going to the network object itself and configuring its NAT tab.&nbsp; If you look at the 2 automatic NAT rules generated as a result in the NAT policy, the destination of the second generated rule which does the vast majority of the NATting for that network has a destination of "Any".&nbsp; So yes it will NAT that traffic to all other interfaces including the second internal one.&nbsp; Typically you would have a manual anti-NAT/no-NAT rule defined early in the NAT policy that will disable NATting between internal networks and/or DMZs. The first auto-generated rule specifies no-NAT for hairpin/u-turn situations involving that network and is rarely hit.</P> <P>I think the checkbox Val is referring to is located on the gateway/cluster object itself on the NAT screen.&nbsp; If you check that one yes only traffic exiting on the External interface will be NATted.</P> Thu, 24 Feb 2022 13:08:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142399#M25287 Timothy_Hall 2022-02-24T13:08:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142404#M25288 <P>What&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;told you is always 100% the case.</P> Thu, 24 Feb 2022 14:19:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-between-internal-interaces-and-hide-NAT/m-p/142404#M25288 the_rock 2022-02-24T14:19:46Z