Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jaisingh_rathor
Participant

Types of NAT used in checkpoint firewall

Please help me understand the types of NAT in the checkpoint firewall.

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

See "Configuring the NAT Policy" in Security Management Administration Guide R80.30 p.132 ff

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jaisingh_rathor
Participant

Thank you for the Document Sir!

 

However, I am still confused about NAT terminologies eg. Hide NAT, Auto NAT, Manual NAT.

I would be grateful if you could enlist and briefly explain all the NAT Types.

 

 

 

0 Kudos
Norbert_Bohusch
Advisor

There are two things:

Hide-NAT vs Static-NAT
- Hide-NAT is used for hiding all traffic from a bunch of IPs (network, etc.) behind one IP address (could also be a pool of address = range)
- Static-NAT is used for translating one IP to one other. It also can be used for translating only one service on one IP to another service on another IP. Or network to network NAT can be done, but original and translated network need to be of same size (same subnetmask).

Manual-NAT vs Automatic-NAT
- Automatic-NAT is configured on network objects. You can only do hide NAT for all connections and not granular by source/destination and only to one IP. For static NAT it is also again not granular but for all connections and all ports are translated.
The benefit is, that proxy ARP configuration is done automatically in this case.
- Manual-NAT is configured using the NAT rulebase and can be done based on all properites of a firewall rule, so using source/destination/service. But you have to configure proxy ARP on your own.

Typically you would use all combinations:
First configured Hide-NAT using Automatic-NAT on network objects you need internet access for (or you do it for all connections on the gateway object).
Then you configure Static-NAT using Automatic-NAT for your DMZ servers with internal IPs to make them accessible from the internet.
Afterwards you configure manual rules (mostly before automatic rules) for Hide-/Static-NAT based on things you need to be more granular on or such called "No-NAT" rules (Translated Columns all on Original) to disable the Automatic-NAT for specific connections (e.g. internal traffic between subnets).
Then you configure
dphonovation
Collaborator

Is the "range" object type the only simple way (without SK hacks) to create an "Outbound NAT pool"? I want to HIDE nat outbound connections behind multiple IPs the checkpoint is BGP broadcasting.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Depending on the scale of the environment I typically prefer to map(hide) specific subnets to individual public IPs.

In my experience this makes troubleshooting easier when/if reachability issues arise.

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events