Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Hide NAT Behind Range – Sticky for each SGM (asg_hide_behind_range)

This feature uses the capability of hidden NAT ranges to increase the number of hidden NAT ports for each SGM.

When you define NAT rules with a range of translated sources, each SGM can receive a separate hidden NAT address. Therefore, the SGM can use a full range of hidden NAT ports (instead of the range being divided between the SGMs).

Note - To safely use this feature, the security policy must be configured such that every NAT rule uses a range object (of at least 24 addresses) as a translated source. See the notes below.

Syntax

> asg_hide_behind_range [-v|-s|on|off]

Parameter

Description

-v

Make sure that the current policy does not contain hide NAT rules with a translated source smaller than 24 addresses.

-s

Show current status

on

Enable feature

off

Disable feature

Example

> asg_hide_behind_range on

Output

                 Configuration succeeded.
Note: In order to apply the changes all SGMs must be rebooted.
Important:
This feature will only affect NAT rules which have a range of at least 24 addresses defined as the translated source.
Note: Manual NAT rules require local.arp configuration.

Notes

  • Changes are applied after a reboot.
  • Hide NAT behind range rules are manual NAT rules. For more information, see Proxy ARP for Manual NAT.
  • It is not guaranteed that a given source address is always translated to the same NAT address. This is only a certainty if all connections from the source address are handled by the same SGM.
  • Hide NAT rules with a translated source that are either a range smaller than 24 addresses, or a single hide address, are not compatible with this feature. The above applies to implied rules as well.
  • If the security policy contains such rules, it is not guaranteed that each SGM hides traffic that matches them behind an address different from all other SGMs. This can cause port conflicts. For example, different connections can appear as one after NAT, both in terms of IP address and source port.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print