cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Checkpoint IP Pool NAT

Hi Folks,

I am trying to do a NAT from Internal to DMZ servers , from internal subnet when it goes to DMZ servers the source should get a IP pool NAT  address. 

Scenario

From LAN side10.90.0.0 get translated at the firewall and gets a pool address in 192.168.90.0-255 range. Another workstation that connects from 10.91.0.0 gets a different address in the 192.168.90.0-255 range.

Any Assistance on this would we be great 

0 Kudos
3 Replies

Re: Checkpoint IP Pool NAT

It appears, though I haven't done this myself, that if you apply a static NAT to a network object, the NAT will automatically use the addresses within the subnet mask allocated to the network object. So if you set your network object for 10.90.0.0/24 to use NAT address 192.168.90.1, it will actually perform one-to-one NAT using all of 192.168.90.0/24.

ref: The idea of automatic static NAT in range object? [Archive] - CPUG: The Check Point User Group 

0 Kudos

Re: Checkpoint IP Pool NAT

Yes Brandon this will behave as you state, although most people find out about this functionality the hard way when they accidentally set Static NAT for a network object instead of Hide NAT like they intended.  Depending on the subnet mask size, the firewall will start suddenly translating hundreds or even thousands of IP addresses statically. 

Libin if the source network is larger than the NAT network, this can be configured on a Check Point and I refer to it as a "many to fewer NAT".  You can see my breakdown of the setup process here:

 

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Checkpoint IP Pool NAT

Love your book dude.

0 Kudos