Working with Automatic NAT Rules
You can create Automatic NAT rules for these objects:
-
Security Gateways
-
Hosts
-
Networks
-
Address Ranges
The Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates two Automatic NAT rules for Static NAT, to translate the source and the destination of the packets.
For Hide NAT, one rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. translates the source of the packets.
For Network and Address Range objects, the Management Server creates a different rule to NOT translate intranet traffic. IP addresses for computers on the same object are not translated.
This table summarizes the Automatic NAT rules:
Example of Automatic NAT Rules
-
Intranet connections in the HR network are not translated.
The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. does not translate a connection between two computers that are part of the HR object.
The Security Gateway does not apply rules 2 and 3 to traffic that matches rule 1.
-
Connections from IP addresses from the HR network to any IP address (usually external computers) are translated to the Static NAT IP address.
-
Connections from any IP address (usually external computers) to the HR are translated to the Static NAT IP address.
-
Intranet connections in the Sales address range are not translated.
The Firewall does not translate a connection between two computers that use IP addresses that are included in the Sales object.
The Firewall does not apply rule 2 to traffic that matches rule 1.
-
Connections from IP addresses from the Sales address range to any IP address (usually external computers) are translated to the Hide NAT IP address.
Configuring Automatic NAT
Configure the NAT settings in each object, for which you need to create Automatic NAT rules, and configure the Access Control rules to allow traffic to the applicable objects.
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the Security Gateway object.
The General Properties window of the gateway opens.
-
From the navigation tree, select NAT > Advanced.
-
Select Add automatic address translation rules to hide this Gateway behind another Gateway.
-
Select the Translation method: Hide or Static.
-
Configure the NAT IP address for the object.
-
Hide behind Gateway - Uses the IP address of the corresponding Security Gateway's interface
-
Hide behind IP address - Enter the IP address.
-
-
Click Install on Gateway and select All or the Security Gateway that translates the IP address.
-
Click OK.
-
Install the Access Control Policy.
Example Deployment
The goal for this sample deployment is to configure:
-
Static NAT for the EMail server and the Web server on the internal network.
These servers can be accessed from the Internet using public addresses.
-
Hide NAT for the users on the internal network that gives them Internet access.
This network cannot be accessed from the Internet.
Item |
Description |
---|---|
1 |
Internal computers (Alaska_LAN, IPv6 2001:db8::/64) |
2 |
Web server (Alaska_Web, IPv6 2001:db8:0:10::5 is translated to IPv6 2001:db8:0:a::5) |
3 |
Mail server (Alaska_Mail, IPv6 2001:db8:0:10::6 is translated to IPv6 2001:db8:0:a::6) |
4 |
Security Gateway (Alaska_GW, external IPv6 2001:db8:0:a::1) |
5 |
External computers and servers in the Internet |
Configuration Procedure:
-
Configure Automatic Static NAT for the Web server:
-
Double-click the Alaska_Web object.
-
From the left, click NAT.
-
Select Add Automatic Address Translation Rules.
-
In Translation method, select Static.
-
Select Hide behind IP Address and enter 2001:db8:0:a::5.
-
Click OK
-
-
Enable Automatic Static NAT for the EMail server:
-
Double-click the Alaska_Mail object.
-
From the left, click NAT.
-
Select Add Automatic Address Translation Rules.
-
In Translation method, select Static.
-
Select Hide behind IP Address and enter 2001:db8:0:a::6.
-
Click OK.
-
-
Enable Automatic Hide NAT for the internal computers:
-
Double-click the Alaska_LAN object.
-
From the left, click NAT.
-
Select Add Automatic Address Translation Rules.
-
In Translation method, select Hide.
-
Select Hide behind Gateway.
-
-
Click OK.
-
Install the Access Control Policy.
The Management Server creates these Automatic NAT rules in Security Policies view > Access Control > NAT:
Automatic Hide NAT to External Networks
For large and complex networks, it can be impractical to configure the Hide NAT settings for all the internal IP addresses.
An easy alternative is to enable a Security Gateway to automatically Hide NAT for all traffic with external networks. The Security Gateway translates all traffic that goes through an external interface to the valid IP address of that interface.
In this sample configuration, computers in internal networks open connections to external servers on the Internet. The source IP addresses of internal clients are translated to the IP address of an external interface.
Item |
Description |
---|---|
1 |
Internal networks |
2 |
Security Gateway is configured with Automatic Hide NAT. |
2A and 2B |
Two external interfaces 192.0.2.1 and 192.0.2.100. |
1 -->3 |
External computers and servers on the Internet |
Source IP addresses are translated to the applicable external interface IP address: 192.0.2.1 or 192.0.2.100.
|
Note - If a connection matches a regular NAT rule and a NAT-for-internal-networks rule, the regular NAT rule takes precedence. |
To enable Automatic Hide NAT:
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the Security Gateway object.
-
From the navigation tree, click NAT.
-
Select Hide internal networks behind the Gateway's external IP.
-
Click OK.
-
Install the Access Control Policy.