IP Pool NAT

Overview

An IP Pool is a range of IP addresses that are routable to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

IP Pool NAT ensures proper routing for encrypted connections in these VPN connection scenarios:

  • Remote Access Client to MEP (Multiple Entry Point) Security Gateways

  • Security Gateway to MEP Security Gateways

When a connection is opened from a Remote Access Client or a client behind a Security Gateway, to a server behind the MEP Security Gateways, the packets are routed through one of the MEP Security Gateways.

Return packets in the connection must be routed back through the same Security Gateway in order to maintain the connection.

To ensure that this occurs, each of the MEP Security Gateways maintains a pool of IP addresses that are routable to the Security Gateway.

When a connection is opened to a server, the Security Gateway substitutes an IP address from the IP pool for the source IP address.

Reply packets from the server return to the Security Gateway, which restores the original source IP address and forwards the packets to the source.

NAT Priorities

IP Pool NAT can be used both for encrypted (VPN) and non-encrypted (decrypted by the Security Gateway) connections.

Note - To enable IP Pool NAT for clear connections through the Security Gateway, it is necessary to configure the required INSPECT settings in the applicable user.def file (see Location of 'user.def' Files on the Management Server). Contact Check Point Support for assistance.

For non-encrypted connections, IP Pool NAT has the following advantages over Hide NAT:

  • New back connections (for example, X11) can be opened to the NATed host.

  • User-to-IP server mapping of protocols that allow one connection per IP can work with a number of hosts instead of only one host.

  • IPsec, GRE, and IGMP protocols can be NATed using IP Pool NAT (and Static NAT). Hide NAT works only with TCP, UDP, and ICMP protocols.

Because of these advantages, you can specify that IP Pool NAT has priority over Hide NAT, if both match the same connection. Hide NAT is only applied if the IP pool is used up.

The order of NAT priorities:

  1. Static NAT

  2. IP Pool NAT

  3. Hide NAT

Because Static NAT has all of the advantages of IP Pool NAT and more, it has a higher priority than the other NAT methods.

IP Pool Per Interface

You can define a separate IP address pool on one or more of the Security Gateway interfaces instead of defining a single pool of IP addresses for the Security Gateway.

Defining an IP pool per interface solves routing issues that occur when the Security Gateway has more than two interfaces.

Sometimes it is necessary that reply packets return to the Security Gateway through the same Security Gateway interface.

Example:

This example diagram shows one of the MEP Security Gateways in a Remote Access Client to a MEP Security Gateway deployment:

Item

Description

1

Packets from source host:

Source: Original
Destination:

2

VPN tunnel through the Internet

3

MEP Security Gateway

3A

IP Pool 1 packets:

Source: 10.55.8.x
Destination:

3B

IP Pool 2 packets:

Source: 10.55.10.x
Destination:

4

Internal network 10.8.8.0

5

Target host in internal network 10.10.10.0

If a remote client opens a connection to the internal network, reply packets from hosts inside the internal networks are routed to the correct Security Gateway interface through the use of static IP pool NAT addresses.

The remote client's IP address is NATed to an address in the IP pool on one of the Security Gateway interfaces. The addresses in the IP pool can be routed only through that Security Gateway interface so that all reply packets from the target host are returned only to that interface. Therefore, it is important that the IP NAT pools of the interfaces do not overlap.

When the packet returns to the Security Gateway interface, the Security Gateway restores the remote peer's source IP address.

The routing tables on the routers that lie behind the Security Gateway must be edited so that addresses from a Security Gateway IP pool are returned to the correct Security Gateway interface.

Switching between IP Pool NAT per Security Gateway and IP Pool NAT per interface and then installing the security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. deletes all IP Pool allocation and all NATed connections.

Reusing IP Pool Addresses For Different Destinations

IP Pool addresses can be reused for different destinations, which makes more efficient use of the addresses in the pool. If a pool contains N addresses, then any number of clients can be assigned an IP from the pool as long as there are no more than N clients per server.

Using IP Pool allocation per destination, two different clients can receive the same IP from the pool as long as they communicate with different servers (connections 1 and 2). When reusing addresses from the IP Pool, back connections are supported from the original server only (connection 3). This means that connections back to the client can be opened only from the specific server to which the connection was opened.

Item

Description

1

Security Gateway with IP Pool addresses A to Z

2

Clients.

Source: Original

Destination:

3A

NATed packet from connection 3.

Source: A

Destination:

4A

NATed packet from connection 4.

Source: A

Destination:

5A

NATed packet from reply connection 5.

Source: Original

Destination: A

6A

This server cannot open a connection with Destination A back to the client.

The default Do not reuse IP Pool NAT behavior means that each IP address in the IP Pool is used once (connections 1 and 2 in the following illustration). In this mode, if an IP pool contains 20 addresses, up to 20 different clients can be NATed and back connections can be opened from any source to the client (connection 3).

Item

Description

1

Security Gateway with IP Pool addresses A to Z.

2

Clients.

Source: Original
Destination:

3A

NATed packet from connection 3.

Source: A
Destination:

4A

NATed packet from connection 4.

Source: Z
Destination:

5

Connection.

Source: Original
Destination: A

Switching between the Reuse and Do not reuse modes and then installing the security policy, deletes all IP Pool allocations and all NATed connections.

IP Pool Configuration Procedure