Working with Manual NAT Rules
For some deployments, it is necessary to manually define the NAT rules.
For example:
-
Rules that are restricted to specific destination IP addresses and to specific source IP addresses
-
Translating both source and destination IP addresses in the same packet.
-
Static NAT in only one direction
-
Translating services (destination ports)
-
Rules that only use specified services (ports)
-
Translating IP addresses for dynamic objects
General workflow when working with manual NAT rules:
-
Create SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. objects that use the valid (NATed) IP addresses.
-
Create Manual NAT rules to translate the original IP addresses of the objects to valid IP addresses.
-
Configure the Access Control Policy to allow traffic to the applicable translated objects with the valid IP addresses.
|
Note - For Manual NAT rules, it is necessary to configure Proxy ARP entries to associate the translated IP address. See Automatic and Proxy ARP. |
Example of a Manual NAT Rule
Configuring Manual NAT
-
From the left navigation panel, click Security Policies.
-
Click Access Control > NAT:
-
Add a new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in one of these ways:
-
From the top toolbar, click the Add Rule icon (the leftmost icon).
-
If there are existing Manual NAT rules, then right-click in the No. column of the applicable rule > in the line New Rule, click Above or Below.
-
-
In the new rule, select the required objects and configure the required translation.
If the required objects do not exist, you can create them in the selection window (in the top right corner, click ).
-
Install the Access Control Policy.
Example Deployment
This example configuration shows how to let external computers access an internal web server and an internal mail server in a DMZ network from one IP address.
To do this, you must configure Hide NAT for the DMZ network object and create manual NAT rules for the servers.
Item |
Description |
---|---|
1 |
External computers and servers on the Internet |
2 |
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Alaska_GW, external IPv6 2001:db8:0:c::1) |
3 |
DMZ network (Alaska_DMZ, IPv6 2001:db8:a::/128) |
4 |
Web server (Alaska_DMZ_Web, IPv6 2001:db8:a::35:5 is translated to IPv6 2001:db8:0:c::1) |
5 |
Mail server (Alaska_DMZ_Mail, IPv6 2001:db8:a::35:6 is translated to IPv6 2001:db8:0:c::1) |
Configuration Procedure:
-
Configure Automatic Hide NAT for the DMZ network:
-
Double-click the Network object Alaska_DMZ.
-
From the left, click NAT.
-
Select Add Automatic Address Translation Rules.
-
In Translation method, select Hide.
-
Select Hide behind Gateway.
-
Click OK.
The Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates these Automatic NAT rules in Security Policies view > Access Control > NAT:
-
-
Create a Manual NAT rule to translate incoming HTTP traffic to the internal Web server:
-
In SmartConsole, go to Security Policies view > Access Control > NAT.
-
Add a new rule (#3) below the existing Automatic NAT rules.
-
Select these objects:
-
-
Create a Manual NAT rule to translate incoming SMTP traffic to the internal Mail server:
-
Add a new rule (#4) below the existing NAT rules.
-
Select these objects:
-
-
Create an Access Control rule to allow the incoming HTTP and SMTP traffic to the internal servers:
-
In SmartConsole, go to Security Policies > Access Control > NAT.
-
Add a new rule.
-
Select these objects:
-
-
Install the Access Control Policy.