Create a Post
Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
icon Network Security

Part 8 - Network Address Translation

In this part, we will discuss different types of Network Address Translation (NAT), set up Internet access for our lab, and review a common example of Port Forwarding.

 

Types of NAT

 

NAT settings are part of the Access Control policy, as we have mentioned in Part 7:

  

_Val__0-1591875896146.png

 

Check Point has two different ways of setting up Network Address Translation: Automatic NAT and Manual NAT. Each of them allows configuring two different types of NAT: Hide NAT and Static NAT:

 

_Val__1-1591875896168.png

 

Hide NAT translates multiple internal addresses into a single IP (many to one translation). That allows internal clients to open connections to external networks. Outside of your security gateway, these connections will look as originated from a single IP address. To perform such Address Translation, the Security Gateway will change both the IP address and source port on the outgoing packets. On the return traffic, the destination IP address and port will be translated ba

...
TO READ THE FULL POST it's simple and free
5 Comments
Don_Paterson
Advisor
Advisor

Unless I am missing something the Manual NAT rule in the last example here cannot work unless a proxy ARP is configured.

The steps and description for that seems to be missing from this page/lab.

Makes me wonder what was configured to get the last screenshot.

Regards,

Don

Timothy_Hall
Legend Legend
Legend

A manual Proxy ARP is not necessary in this case since port forwarding of http to the DMZ server is being accomplished using the firewall's existing external interface IP 192.168.206.5.  The firewall will already answer ARP requests for that IP address from the Internet perimeter router.  If the manual NAT example was using another IP address plucked from the subnet located between the firewall and the perimeter router (such as 192.168.206.155 assuming a /24 mask) then yes a manual static proxy ARP would be needed.

_Val_
Admin
Admin

On top what Tim said, we can also tackle the issue of not having a manual ARP proxy with external routing 

Don_Paterson
Advisor
Advisor

Understood. I see what i missed. 

Now the question is, is this the best NAT scenario for this course?

I've seen and done many types of NAT. Funky stuff and standard stuff and i am thinking that maybe the more common NAT scenario is better here, where a dedicated IP address is used. Or two. 

And then manual and automatic destination/static NAT rules can be covered. 

Doesn't Check Point generally recommend automatic NAT rules?

Thanks,

Don

_Val_
Admin
Admin

In this specific case, automatic static NAT would work too, and probably could be a more reasonable option. However, this is just an example of what's possible, and considering the fact manual NAT takes a bit more effort to set, is a good educational decision 🙂