Working with Network Address Translation (NAT)

Note - In Security Groups in Maestro and Scalable Chassis:

The term VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. means a Security Group in the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode.
Some VSX features have a limited or no support.
Virtual Routers are not supported (Known Limitation 01413513).

This section describes the process for using Network Address Translation (NAT) in a VSX deployment.

The procedures described in this section assume that the reader is familiar with NAT concepts and their implementation in Check Point products.

For more about NAT, see the R81 Security Management Administration Guide - Section Configuring NAT Policy.

VSX supports NAT for Virtual Systems much in the same manner as a physical Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. When a NAT enabled (Static or Hide) Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. connects to a Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR., the translated routes are automatically forwarded to the appropriate Virtual Router.

Configure NAT using the NAT page in the Virtual System window. Hide or Static NAT addresses configured in this manner are automatically forwarded to the Virtual Router to which the Virtual System is connected. Alternatively, you can manually add NAT routes on the Topology page in the Virtual Router window.

To configure NAT for a Virtual System on a VSX Gateway:

Step	Instructions
1	Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Target Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Virtual System.
2	From the left navigation panel, click Gateways & Servers.
3	Open the Virtual System object.
4	From the navigation tree, click NAT > Advanced. The Advanced page opens.
5	Select Add Automatic Address Translation.
6	Select the Translation method. Hide - Hide NAT only allows connections originating from the internal network. Internal hosts can access internal destinations, the Internet and other external networks. External sources cannot initiate a connection to internal network addresses. Select one of these options: Hide behind Gateway - Hides the real address behind the VSX Gateway external interface address. This is equivalent to hiding behind the address `0.0.0.0` for IPv4, or `::` for IPv6. Hide behind IP Address - Hides the real address behind a virtual IP address, which is a routable, public IP address that does not belongs to any real machine. Static - Static NAT translates each private address to a corresponding public address. Enter the static IP address.
7	From the Install on Gateway list, select the VSX Gateway.
8	Click OK.
9	Install the Access Control Policy on this Virtual System.

To configure NAT for a Virtual System on a VSX Cluster:

Use case - Perform Hide NAT on traffic a Virtual System itself generates in a VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., so that the Virtual System could connect to external resources (for example, update Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. signatures from the Check Point cloud).

Step

Instructions

Connect to the command line on each VSX Cluster Member Security Gateway that is part of a cluster..

Switch to the context of the applicable Virtual System:

[Expert@HostName:0]# vsenv <VSID>

Get the Funny IP address of the applicable Virtual System interface, through which the applicable traffic goes out.

Note - Funny IP address is the IP address that belongs to cluster's internal communications network (open the VSX Cluster object properties and go to the "Cluster Members" pane).

Run one of these commands:

[Expert@HostName:<VSID>]# fw getifs
[Expert@HostName:<VSID>]# \ifconfig

Write down the Funny IP address.

Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System.

From the left navigation panel, click Gateways & Servers.

Create a new Node Host object and assign to it the Funny IP address you wrote down in Step 4.

Create a new Node Host object and assign to it the NATed IP address.

From the left navigation panel, click Security Policies.

In the Access Control > NAT policy, create the applicable NAT rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to hide the traffic from the Virtual System behind the NATed IP address:

Original Source

Original Destination

Original Services

Translated Source

Translated Destination

Translated Services

Install On

Must be a Node Host object with the Funny IP address of the Virtual System

Any

Must be a Node Host object with the NATed IP address of the Virtual System

= Original

Policy Targets

or the Virtual System object

Install the Access Control Policy on this Virtual System.