Working with Manual NAT Rules

For some deployments, it is necessary to manually define the NAT rules.

For example:

  • Rules that are restricted to specific destination IP addresses and to specific source IP addresses

  • Translating both source and destination IP addresses in the same packet.

  • Static NAT in only one direction

  • Translating services (destination ports)

  • Rules that only use specified services (ports)

  • Translating IP addresses for dynamic objects

General workflow when working with manual NAT rules:

  1. Create SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. objects that use the valid (NATed) IP addresses.

  2. Create Manual NAT rules to translate the original IP addresses of the objects to valid IP addresses.

  3. Configure the Access Control Policy to allow traffic to the applicable translated objects with the valid IP addresses.

Note - For Manual NAT rules, it is necessary to configure Proxy ARP entries to associate the translated IP address. See Automatic and Proxy ARP.

Example of a Manual NAT Rule

No

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Comments

1

HTTP_Client

Web_Server

http

= Original

S Web_Server

= Original

Policy Targets

 

Configuring Manual NAT

Example Deployment