Configuring the NAT Policy

Getting Started with NAT

  1. Learn about types of NAT Rules and types of NAT Methods (below in this topic).

  2. Follow the applicable procedure:

  3. Configure the applicable NAT advanced settings (see Advanced NAT Settings).

  4. Install the Access Control Policy.

Introduction

NAT (Network Address Translation) is a feature of the Firewall Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and replaces IPv4 and IPv6 addresses to add more security. NAT protects the identity of a network and does not show internal IP addresses to the Internet.

The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. can change:

  • The source IP address in a packet.

  • The destination IP address in a packet.

  • The TCP / UDP port in a packet.

  1. An internal computer sends a packet to an external computer

  2. The Security Gateway translates the source IP address to a new one.

  3. The packet comes back from the external computer

  4. The Security Gateway translates the new IP address back to the original IP address.

  5. The packet from the external computer goes to the correct internal computer.

Types of NAT Rules

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you can create these types of NAT rules:

NAT Rules

How to create these NAT rules?

How to change these NAT rules?

Automatic NAT Rules

Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates these rules automatically based on the NAT settings you configure in objects' properties (on the NAT page)

You must change the NAT settings in objects' properties on the NAT page.

Manual NAT RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.

You create these rules, select all objects and the NAT method.

You change these rules.

Types of NAT Methods

You can configure one of these NAT methods for Automatic NAT Rules and in Manual NAT RulesClosed Manual configuration of NAT rules by the administrator of the Check Point Management Server.:

The Security Gateway changes the source IP address of all connections from a source to the same IP address - either that of the Security Gateway's outgoing interface, or an IP address you configure.

Hide > Hide behind gateway

The Security Gateway changes the source IP address of all connections from a source to the same IP address of the Security Gateway's outgoing interface.

Hide > Hide behind IP address

The Security Gateway changes the source IP address of all connections from a source to the same IP address your configure.

Notes:

  • When you configure Hide NAT, connections can only start from internal computers.

    The Security Gateway does not allow external traffic to access internal resources.

  • If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.

  • If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.

  • The Security Gateway uses port numbers to translate all specified internal IP addresses to a single external IP address - port numbers from 600 to 1023, and from 10,000 to 60,000.

    The Security Gateway can translate up to 50,000 connections at the same time.

  • You cannot use Hide NAT for these configurations:

    • Traffic that uses protocols where the port number cannot be changed.

    • An external server that uses IP addresses to identify different computers and clients.

Example diagram

Item

Description

1

Internal computers

2

Security Gateway configured with Hide NAT

3

External computers and servers on the Internet

Sample Hide NAT Workflow

  1. Internal computer A (10.10.0.26) sends a packet to an external computer.

  2. The Security Gateway intercepts the packet and translates the source IP address from (10.10.0.26) to 192.0.2.1, and port 11000.

  3. The external computer sends back a packet to 192.0.2.1, to port 11000.

  4. The Security Gateway translates the packet's IP address from 192.0.2.1 to 10.10.0.26 and sends it to internal computer A.

Internal computer A (10.10.0.26)

sends packet to Internet

Security Gateway translates

this address from 10.10.0.26 to 192.0.2.1, and port 11000

Internet receives

packet from 192.0.2.1, from port 11000

 

 

 

 

 

Internet sends back

packet to 192.0.2.1, to port 11000

Security Gateway translates

this address from 192.0.2.1 to 10.10.0.26

Internal computer A

receives packet

The Security Gateway changes the source IP address of all connections from a source to the IP address your configure.

Notes:

  • When you configure Static NAT, the Security Gateway allows external traffic to access internal resources.

  • If you enable this configuration in an object that represents one IP address (a Host object), then this gives you a one-to-one address translation.

  • If you enable this configuration in an object that represents many IP addresses (a Network object, an Address Range object), then this gives you a many-to-one address translation.

    The Security Gateway translates each internal IP address to a different external IP address.

    Important - The range of the translated IP addresses is the same as the range of the source IP addresses.

Example diagram

Item

Description

1

Internal computers

2

Security Gateway configured with Static NAT

3

External computers and servers on the Internet

Example traffic flow with Static NAT

  1. An external computer on the Internet sends a packet to 192.0.2.5.

  2. The Security Gateway translates the IP address from 192.0.2.5 to 10.10.0.26 and sends the packet to internal computer A.

  3. Internal computer A (10.10.0.26) sends back a packet to the external computer.

  4. The Security Gateway intercepts the packet and translates the source IP address from 10.10.0.26 to 192.0.2.5.

  5. Internal computer B (10.10.0.37) sends a packet to an external computer.

  6. The Security Gateway intercepts the packet translates the source IP address from 10.10.0.37 to 192.0.2.16.

Internet sends

packet to 192.0.2.5

Security Gateway translates

this address from 192.0.2.5 to 10.10.0.26

Internal computer A (10.10.0.26)

receives packet

 

 

 

 

 

Internal computer A (10.10.0.26)

sends packet to Internet

Security Gateway translates

this address from 10.10.0.26 to 192.0.2.5

Internet receives

packet from 192.0.2.5

 

 

 

 

 

Internal computer B (10.10.0.37)

sends packet to Internet

Security Gateway translates

this address from 10.10.0.37 to 192.0.2.16

Internet receives

packet from 192.0.2.16

NAT Rules in SmartConsole

The NAT Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. has two sections in that specify how the IP addresses and Ports are translated:

  • Original - with columns Source, Destination, and Services

  • Translated - with columns Source, Destination, and Services

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Comments

Automatic Generated Rules

NAT Rules for X (Y-Z)

1

Object1

Object2

Any

= Original

= Original

= Original

Policy Targets

 

2

Object3

Object4

Any

S Object5

S Object6

= Original

Policy Targets

 

3

Object7

Object8

Any

H Object9

H Object10

= Original

Policy Targets

 

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Comments

Automatic Generated Rules

Manual Lower Rules

4

Object11

Object12

Any

S Object13

= Original

= Original

Policy Targets

 

5

Object14

Object15

Any

= Original

S Object16

= Original

Policy Targets

 

Order of NAT Rule Enforcement

The Security Gateway enforces the NAT Rule Base in a sequential manner - in the order you place the rules in the NAT Policy (see the No. column).

The Security Gateway enforces Automatic NAT and Manual NAT rules in different ways.

  • Manual NAT rules - The Security Gateway enforces the first Manual NAT rule that matches a connection. The Security Gateway does not examine other Manual NAT rules.

  • Automatic NAT rules - The Security Gateway can enforce two Automatic NAT rules that match a connection - one rule for the Source and one for the Destination. When a connection matches two Automatic NAT rules, the Security Gateway enforces those rules.

    Note - SmartConsole organizes the Automatic NAT rules in this order:

    1. Static NAT rules for the Security Gateway, or Host (computer or server) objects

    2. Hide NAT rules for the Security Gateway, or Host objects

    3. Static NAT rules for Network or Address Range objects

    4. Hide NAT rules for Network or Address Range objects