Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Types of NAT used in checkpoint firewall

Please help me understand the types of NAT in the checkpoint firewall.

0 Kudos
3 Replies
Highlighted
Sapphire

Re: Types of NAT used in checkpoint firewall

See "Configuring the NAT Policy" in Security Management Administration Guide R80.30 p.132 ff

0 Kudos
Highlighted

Re: Types of NAT used in checkpoint firewall

Thank you for the Document Sir!

 

However, I am still confused about NAT terminologies eg. Hide NAT, Auto NAT, Manual NAT.

I would be grateful if you could enlist and briefly explain all the NAT Types.

 

 

 

0 Kudos
Highlighted

Re: Types of NAT used in checkpoint firewall

There are two things:

Hide-NAT vs Static-NAT
- Hide-NAT is used for hiding all traffic from a bunch of IPs (network, etc.) behind one IP address (could also be a pool of address = range)
- Static-NAT is used for translating one IP to one other. It also can be used for translating only one service on one IP to another service on another IP. Or network to network NAT can be done, but original and translated network need to be of same size (same subnetmask).

Manual-NAT vs Automatic-NAT
- Automatic-NAT is configured on network objects. You can only do hide NAT for all connections and not granular by source/destination and only to one IP. For static NAT it is also again not granular but for all connections and all ports are translated.
The benefit is, that proxy ARP configuration is done automatically in this case.
- Manual-NAT is configured using the NAT rulebase and can be done based on all properites of a firewall rule, so using source/destination/service. But you have to configure proxy ARP on your own.

Typically you would use all combinations:
First configured Hide-NAT using Automatic-NAT on network objects you need internet access for (or you do it for all connections on the gateway object).
Then you configure Static-NAT using Automatic-NAT for your DMZ servers with internal IPs to make them accessible from the internet.
Afterwards you configure manual rules (mostly before automatic rules) for Hide-/Static-NAT based on things you need to be more granular on or such called "No-NAT" rules (Translated Columns all on Original) to disable the Automatic-NAT for specific connections (e.g. internal traffic between subnets).
Then you configure