Working with Automatic NAT Rules

You can create Automatic NAT rules for these objects:

Security Gateways
Hosts
Networks
Address Ranges

The Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates two Automatic NAT rules for Static NAT, to translate the source and the destination of the packets.

For Hide NAT, one rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. translates the source of the packets.

For Network and Address Range objects, the Management Server creates a different rule to NOT translate intranet traffic. IP addresses for computers on the same object are not translated.

This table summarizes the Automatic NAT rules:

Type of Traffic	Automatic NAT - Static	Automatic NAT - Hide
Internal to external	Rule translates source IP address	Rule translates source IP address
External to internal	Rule translates destination IP address	N/A (External connections are not allowed)
Intranet (for network and address range objects)	Rule does not translate IP address	Rule does not translate IP address

Example of Automatic NAT Rules

Static NAT for a Network object

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
Automatic Generated Rules
NAT Rules for HR (1-3)
1	HR	HR	`Any`	`= Original`	`= Original`	`= Original`	`Policy Targets`
2	HR	`Any`	`Any`	_S HR (Valid Address)	`= Original`	`= Original`	`Policy Targets`
3	`Any`	HR (Valid Address)	`Any`	`= Original`	_S HR	`= Original`	`Policy Targets`

Intranet connections in the HR network are not translated.

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. does not translate a connection between two computers that are part of the HR object.

The Security Gateway does not apply rules 2 and 3 to traffic that matches rule 1.
Connections from IP addresses from the HR network to any IP address (usually external computers) are translated to the Static NAT IP address.
Connections from any IP address (usually external computers) to the HR are translated to the Static NAT IP address.

Hide NAT for an Address Range object

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
Automatic Generated Rules
NAT Rules for Sales (1-2)
1	Sales	Sales	`Any`	`= Original`	`= Original`	`= Original`	`Policy Targets`
2	Sales	`Any`	`Any`	_H Sales (Hiding Address)	`= Original`	`= Original`	`Policy Targets`

Intranet connections in the Sales address range are not translated.

The Firewall does not translate a connection between two computers that use IP addresses that are included in the Sales object.

The Firewall does not apply rule 2 to traffic that matches rule 1.
Connections from IP addresses from the Sales address range to any IP address (usually external computers) are translated to the Hide NAT IP address.

Configuring Automatic NAT

Configure the NAT settings in each object, for which you need to create Automatic NAT rules, and configure the Access Control rules to allow traffic to the applicable objects.

Procedure

From the left navigation panel, click Gateways & Servers.
Double-click the Security Gateway object.

The General Properties window of the gateway opens.
From the navigation tree, select NAT > Advanced.
Select Add automatic address translation rules to hide this Gateway behind another Gateway.
Select the Translation method: Hide or Static.
Configure the NAT IP address for the object.
- Hide behind Gateway - Uses the IP address of the corresponding Security Gateway's interface
- Hide behind IP address - Enter the IP address.
Click Install on Gateway and select All or the Security Gateway that translates the IP address.
Click OK.
Install the Access Control Policy.

Example Deployment

Example

The goal for this sample deployment is to configure:

Static NAT for the EMail server and the Web server on the internal network.

These servers can be accessed from the Internet using public addresses.
Hide NAT for the users on the internal network that gives them Internet access.

This network cannot be accessed from the Internet.

Item	Description
1	Internal computers (Alaska_LAN, IPv6 2001:db8::/64)
2	Web server (Alaska_Web, IPv6 2001:db8:0:10::5 is translated to IPv6 2001:db8:0:a::5)
3	Mail server (Alaska_Mail, IPv6 2001:db8:0:10::6 is translated to IPv6 2001:db8:0:a::6)
4	Security Gateway (Alaska_GW, external IPv6 2001:db8:0:a::1)
5	External computers and servers in the Internet

Configuration Procedure:

Configure Automatic Static NAT for the Web server:
1. Double-click the Alaska_Web object.
2. From the left, click NAT.
3. Select Add Automatic Address Translation Rules.
4. In Translation method, select Static.
5. Select Hide behind IP Address and enter 2001:db8:0:a::5.
6. Click OK
Enable Automatic Static NAT for the EMail server:
1. Double-click the Alaska_Mail object.
2. From the left, click NAT.
3. Select Add Automatic Address Translation Rules.
4. In Translation method, select Static.
5. Select Hide behind IP Address and enter 2001:db8:0:a::6.
6. Click OK.
Enable Automatic Hide NAT for the internal computers:
1. Double-click the Alaska_LAN object.
2. From the left, click NAT.
3. Select Add Automatic Address Translation Rules.
4. In Translation method, select Hide.
5. Select Hide behind Gateway.
Click OK.
Install the Access Control Policy.

The Management Server creates these Automatic NAT rules in Security Policies view > Access Control > NAT:

No	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On
Automatic Generated Rules
NAT Rules for Sales (1-2)
1	Alaska_Web	Alaska_Web	`Any`	`= Original`	`= Original`	`= Original`	`Policy Targets`
2	Alaska_Web	`Any`	`Any`	_S Alaska_Web (Valid Address)	`= Original`	`= Original`	`Policy Targets`
3	`Any`	Alaska_Web	`Any`	`= Original`	_S Alaska_Web (Valid Address)	`= Original`	`Policy Targets`
4	Alaska_Mail	Alaska_Mail	`Any`	`= Original`	`= Original`	`= Original`	`Policy Targets`
5	Alaska_Mail	`Any`	`Any`	_S Alaska_Mail (Valid Address)	`= Original`	`= Original`	`Policy Targets`
6	`Any`	Alaska_Mail	`Any`	`= Original`	_S Alaska_Mail (Valid Address)	`= Original`	`Policy Targets`
7	Alaska_LAN	Alaska_LAN	`Any`	`= Original`	`= Original`	`= Original`	`Policy Targets`
8	Alaska_LAN	`Any`	`Any`	_H Alaska_LAN (Hiding Address)	`= Original`	`= Original`	`Policy Targets`

Automatic Hide NAT to External Networks

For large and complex networks, it can be impractical to configure the Hide NAT settings for all the internal IP addresses.

Explanation

An easy alternative is to enable a Security Gateway to automatically Hide NAT for all traffic with external networks. The Security Gateway translates all traffic that goes through an external interface to the valid IP address of that interface.

In this sample configuration, computers in internal networks open connections to external servers on the Internet. The source IP addresses of internal clients are translated to the IP address of an external interface.

Item	Description
1	Internal networks
2	Security Gateway is configured with Automatic Hide NAT.
2A and 2B	Two external interfaces 192.0.2.1 and 192.0.2.100.
1 -->3	External computers and servers on the Internet

Source IP addresses are translated to the applicable external interface IP address: 192.0.2.1 or 192.0.2.100.

Note - If a connection matches a regular NAT rule and a NAT-for-internal-networks rule, the regular NAT rule takes precedence.

To enable Automatic Hide NAT:

From the left navigation panel, click Gateways & Servers.
Double-click the Security Gateway object.
From the navigation tree, click NAT.
Select Hide internal networks behind the Gateway's external IP.
Click OK.
Install the Access Control Policy.