Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Annie-CCSA
Participant

Server side NAT ?

Hi all, 

I'm reading a CCSA r80 manual and got stuck on some information about a Global Properties option that allows admins to choose between "Client side NAT" and "Server side NAT" and it breaks my mind. There's a lot of explaining where destination NAT happens within a Checkpoint GW ... just for confirmation it's before 3 by default isn't it? So that the OS can route it... right ?

( Correct me if I'm wrong )

1) i

2) I

Destination NAT to internal IP

3) OS routing

4)o

5)O 

But do these client-side/server-side NAT options influence what IP address you need to use in the rule-base then ? ( use translated IP vs original IP's )

NAT.JPG

( I guess not )

And secondly, I do read in the documentation it influences routing.

- ( automatic NAT, no issues )

- ( manual NAT, possible manual routing needed )

But then I fail to image a real world scenario where this option would come in handy ? ( either for automatic/manual NAT rules )

Can someone explain in simple words a real world example why you would want this option server side ? 

Thx a lot.

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The main reason this option exists at all is because, prior to the existence of this option (4.1 and earlier I believe), the only way for a destination static NAT to work where the IP in question was on the same subnet as the firewall, was to configure a route.
With this option added and being the default, that configuration is no longer necessary.
However, for anyone upgrading from a prior release with that option, that feature might be…disruptive.

There may be an oddball situation where it is necessary to disable this feature but for the common use case, it’s not.
Not sure why this is still on the CCSA exam. @shay_solomon 

Timothy_Hall
Champion
Champion

Client-side vs. server side NAT is still covered on the CCSA exam, even though there is practically no reason to disable client-side NAT (which is the default)  in the real world.  I warn students attending my CCSA classes about this, as even someone who has set up hundreds or thousands of NATs in the real world can be tripped up by client vs. server side NAT questions on the CCSA exam.  In the old days all NAT operations (both on the source and destination IP addresses) occurred on the outbound side of the INSPECT driver between o and O.  For destination NATs to work this required the addition of a static, host-based route for all configured Static NATs as Phoneboy mentioned.  Starting in NG/R50, all destination IP address NATs started happening on the inbound side of the INSPECT driver between capture points i and I (client side NAT), while Source NATs still occur on the outbound side between o and O (server side NAT).  This change eliminated the need to add static host-based routes to make your Static NATs work properly, and frankly there is practically no reason to disable client-side NAT these days as doing so would immediately break almost all static NAT operations.  So to summarize:

1) i

2) (NAT destination IP address if needed)

3)  I

4) IP Routing

5) o

6) (NAT source IP address if needed)

7) O

I fervently warn my students to NEVER uncheck anything on the Global Properties...NAT screen unless they want to cause massive problems.  There really should be a "Wide Impact" icon, or some other type of warning on the Global Properties...NAT screen alerting you that unchecking anything here can and will screw things up.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Annie-CCSA
Participant

"In the old days all NAT operations (both on the source and destination IP addresses) occurred on the outbound side of the INSPECT driver between o and O.  For destination NATs to work this required the addition of a static, host-based route for all configured Static NATs as Phoneboy mentioned"

OK, so the only impact this had/has was the need to tell/assist the firewall what interface to route to... I was thinking somehow there was a situation where the rulebase construction could have been impacted as well by these NAT options. Must be something I read and confused me. ( if the firewall is Internet facing/has a public IP, that would be silly really, but you never know 🙂 )

Thanks for your help ! Both !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events