Configuring the NAT Policy

This chapter outlines the process of configuring NAT64 (Network Address Translation from IPv6 to IPv4) on a Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

NAT64 is a technology that enables communication between IPv6-only clients and IPv4-only servers. The configuration involves defining rules on a Check Point Security Gateway to translate packet headers using the IPv4/IPv6 Translation Algorithm (RFC 6145). The Security Gateway performs N:M translation, supporting scenarios like Hide NAT behind a single IPv4 address or a range of addresses.

Getting Started with NAT

Learn about types of NAT Rules and types of NAT Methods (below in this topic).
Follow the applicable procedure:
- Working with Automatic NAT Rules (for IPv4 or IPv6 translation)
- Working with Manual NAT Rules (for IPv4 or IPv6 translation)
- Working with NAT46 Rules (for IPv4-to-IPv6 translation)
- Working with NAT64 Rules (for IPv6-to-IPv4 translation)
Configure the applicable NAT advanced settings (see Advanced NAT Settings).
Install the Access Control Policy.

Introduction

NAT (Network Address Translation) is a feature of the Firewall Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and replaces IPv4 and IPv6 addresses to add more security. NAT protects the identity of a network and does not show internal IP addresses to the Internet.

The Security Gateway can change:

The source IP address in a packet.
The destination IP address in a packet.
The TCP / UDP port in a packet.

Types of NAT Rules

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you can create these types of NAT rules:

NAT Rules	How to create these NAT rules?	How to change these NAT rules?
Automatic NAT Rules	Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates these rules automatically based on the NAT settings you configure in objects' properties (on the NAT page)	You must change the NAT settings in objects' properties on the NAT page.
Manual NAT Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.	You create these rules, select all objects and the NAT method.	You change these rules.

Important - A Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server supports a maximum of 16384 NAT rules in one policy. See sk82220.

Types of NAT Methods

You can configure one of these NAT methods for Automatic NAT Rules and in Manual NAT Rules Manual configuration of NAT rules by the administrator of the Check Point Management Server.:

Hide

The Security Gateway changes the source IP address of all connections from a source to the same IP address - either that of the Security Gateway's outgoing interface, or an IP address you configure.

Hide > Hide behind gateway

The Security Gateway changes the source IP address of all connections from a source to the same IP address of the Security Gateway's outgoing interface.

Hide > Hide behind IP address

The Security Gateway changes the source IP address of all connections from a source to the same IP address your configure.

Notes:

When you configure Hide NAT, connections can only start from internal computers.

The Security Gateway does not allow external traffic to access internal resources.
If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.
If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.
The Security Gateway uses port numbers to translate all specified internal IP addresses to a single external IP address - port numbers from 600 to 1023, and from 10,000 to 60,000.

The Security Gateway can translate up to 50,000 connections at the same time.
You cannot use Hide NAT for these configurations:
- Traffic that uses protocols where the port number cannot be changed.
- An external server that uses IP addresses to identify different computers and clients.

Example diagram

Item	Description
1	Internal computers
2	Security Gateway configured with Hide NAT
3	External computers and servers on the Internet

Sample Hide NAT Workflow

Internal computer A (10.10.0.26) sends a packet to an external computer.
The Security Gateway intercepts the packet and translates the source IP address from (10.10.0.26) to 192.0.2.1, and port 11000.
The external computer sends back a packet to 192.0.2.1, to port 11000.
The Security Gateway translates the packet's IP address from 192.0.2.1 to 10.10.0.26 and sends it to internal computer A.

Internal computer A (10.10.0.26)

sends packet to Internet

Security Gateway translates

this address from 10.10.0.26 to 192.0.2.1, and port 11000

Internet receives

packet from 192.0.2.1, from port 11000

Internet sends back

packet to 192.0.2.1, to port 11000

Security Gateway translates

this address from 192.0.2.1 to 10.10.0.26

Internal computer A

receives packet

Static

The Security Gateway changes the source IP address of all connections from a source to the IP address your configure.

Notes:

When you configure Static NAT, the Security Gateway allows external traffic to access internal resources.
If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.

If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.

The Security Gateway translates each internal IP address to a different external IP address.

Important - The range of the translated IP addresses is the same as the range of the source IP addresses.

Example diagram

Item	Description
1	Internal computers
2	Security Gateway configured with Static NAT
3	External computers and servers on the Internet

Example traffic flow with Static NAT

An external computer on the Internet sends a packet to 192.0.2.5.
The Security Gateway translates the IP address from 192.0.2.5 to 10.10.0.26 and sends the packet to internal computer A.
Internal computer A (10.10.0.26) sends back a packet to the external computer.
The Security Gateway intercepts the packet and translates the source IP address from 10.10.0.26 to 192.0.2.5.
Internal computer B (10.10.0.37) sends a packet to an external computer.
The Security Gateway intercepts the packet translates the source IP address from 10.10.0.37 to 192.0.2.16.

Internet sends packet to 192.0.2.5	Security Gateway translates this address from 192.0.2.5 to 10.10.0.26	Internal computer A (10.10.0.26) receives packet

Internal computer A (10.10.0.26) sends packet to Internet	Security Gateway translates this address from 10.10.0.26 to 192.0.2.5	Internet receives packet from 192.0.2.5

Internal computer B (10.10.0.37) sends packet to Internet	Security Gateway translates this address from 10.10.0.37 to 192.0.2.16	Internet receives packet from 192.0.2.16

NAT Rules in SmartConsole

The NAT Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. has two sections in that specify how the IP addresses and Ports are translated:

Original - with columns Source, Destination, and Services
Translated - with columns Source, Destination, and Services

Example of Automatic NAT Rules

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
Automatic Generated Rules
NAT Rules for X (Y-Z)
1	Object1	Object2	`Any`	`= Original`	`= Original`	`= Original`	`Policy Targets`
2	Object3	Object4	`Any`	_S Object5	_S Object6	`= Original`	`Policy Targets`
3	Object7	Object8	`Any`	_H Object9	_H Object10	`= Original`	`Policy Targets`

Example of a Manual NAT rule

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
Automatic Generated Rules
Manual Lower Rules
4	Object11	Object12	`Any`	_S Object13	`= Original`	`= Original`	`Policy Targets`
5	Object14	Object15	`Any`	`= Original`	_S Object16	`= Original`	`Policy Targets`

Order of NAT Rule Enforcement

The Security Gateway enforces the NAT Rule Base in a sequential manner - in the order you place the rules in the NAT Policy (see the No. column).

The Security Gateway enforces Automatic NAT and Manual NAT rules in different ways.

Explanation

Manual NAT rules - The Security Gateway enforces the first Manual NAT rule that matches a connection. The Security Gateway does not examine other Manual NAT rules.

Automatic NAT rules - The Security Gateway can enforce two Automatic NAT rules that match a connection - one rule for the Source and one for the Destination. When a connection matches two Automatic NAT rules, the Security Gateway enforces those rules.

Note - SmartConsole organizes the Automatic NAT rules in this order:

Static NAT rules for the Security Gateway, or Host (computer or server) objects
Hide NAT rules for the Security Gateway, or Host objects
Static NAT rules for Network or Address Range objects
Hide NAT rules for Network or Address Range objects