Defining NAT Control

In the Access Policy > Firewall NAT page you can configure NAT for outgoing traffic and see how many servers are defined in the system. Servers are defined in the Access Policy > Servers page and are network objects configured with their access and NAT settings. This lets you configure servers that are accessible from the Internet even if they do not have a routable IP address. You can also configure servers with NAT settings from this page.

Note - Locally Managed Quantum Spark Appliances support only one static NAT IP address of one real IP address. For more information, see sk179550.

To disable NAT for outgoing traffic (Hide NAT):

By default, NAT is configured for outgoing traffic. If it is necessary to disable NAT, make sure Hide internal networks behind the Gateway's external IP address is set to OFF.

Important - In most cases, if you turn off the hide NAT feature, you cause Internet connectivity issues. If your appliance is the gateway of your office to the Internet DO NOT set to off without consulting with networking experts.

To configure a server that is routable from the Internet (server with NAT):

  1. Click New Server (forwarding rule).

  2. See the Access Policy > Servers page for instructions on how to use the server wizard.

  3. In the Access step of the server wizard, select one of the options when asked from where this server is accessible.

  4. In the NAT step of the server wizard, select the relevant option:

    • The gateway's external (public) IP address - This configures access through Port Forwarding. The appliance has an external routable IP address which is configured in its Internet connections (on the Device > Internet page). Traffic to the appliance to the ports configured for the server object in step 1 of the wizard is forwarded to the server. This allows traffic from the Internet into the organization (public servers) while still using one external routable IP address.

    • A different (public) IP address - This configures access through Static NAT. If a routable IP address was purchased for the server, enter it in the address field. While the rest of the internal network is hidden behind the gateway's external IP address, this specified server will use its own accessible IP address. Traffic to the specified IP address on relevant ports as configured in step 1 of the wizard will be forwarded to this server.

    • The server's configured IP address (x.x.x.x) is public - This option is only relevant if the Hide internal networks behind the Gateway's external IP address checkbox in the Access Policy > NAT Control page is cleared (see above for details). It means there are no NAT rules on the server.

  5. When you have multiple internal servers that use the same port, select Redirect from port and enter a different port number that is used when you access this server from the Internet. Traffic to the server on the port you entered is forwarded to the server's port.

  6. By default, the Force translated traffic to return to the gateway checkbox is selected. This allows access from internal networks to external IP addresses of servers through the local switch. The source is translated to "This Gateway". When the checkbox is cleared, the source is "Any" and there is no access from the internal network to external IP addresses through the switch.

  7. Click Finish.

After you create a server with NAT settings, one or more corresponding rules are automatically generated and added to the NAT rules under the Auto Generated Forwarding Rules section. Click View NAT rules to see them. The comment in the rule shows the server object name. You can click the object name link to open the Access tab of the server's properties or click the Servers page link to go to the Firewall Servers page.

Advanced - Manual NAT Rules

Note - For the majority of cases, manual NAT rules are not necessary. There is no need to use this option unless you are an experienced network administrator.

A more advanced way to configure address translation is by defining manual NAT rules. If servers with NAT are configured, the manual NAT rules do not apply to them. However, they apply even when Hide NAT is activated.

These are the fields that manage the NAT rules.

Rule Base Field

Description

Original Source

The network object (a specified IP address) or network group object (a specified IP address range) that is the original source of the connections to translate.

Note - Updatable objects and FQDN can be used only as an original source. For more information on how to import, see Updatable Objects.

Original Destination

The network object (a specified IP address) or network group object (a specified IP address range) that is the original destination of the connections to translate.

Note - Updatable objects and FQDN can be used only as an original destination. For more information on how to import, see Updatable Objects.

Original Service

The original service used for the connections to translate.

Translated Source

The network object or network group object that is the new source to which the original source is translated.

Translated Destination

The network object or network group object that is the new destination to which the original destination is translated.

Translated Service

The new service to which the original service is translated.

To create a new NAT rule:

  1. If the NAT rules table is not shown on the page, click the View NAT rules link.

  2. Click the arrow next to New.

  3. Click one of the available positioning options for the rule: Top Rule, Bottom Rule, Above Selected, or Under Selected.

    The Add Manual NAT RuleClosed A set of traffic parameters and other conditions in a Rule Base that cause specified actions to be taken for a communication session. window opens. It shows the rule fields in two manners:

  4. Click the links in the rule summary or the table cells to select network objects or options that fill out the Rule Base fields. See the descriptions above.

  5. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in NAT Manual Rules.

  6. Select the Hide multiple sources behind the translated source addresses if you want the original source to contain multiple IP addresses, IP ranges, networks, etc. and the translated source to be a single IP address.

    When this option is not selected, you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source. This rule does the IP address translation from one range to another, respectively (the first IP in the first range is translated to the first IP in the second range, and so on).

  7. Select Serve as an ARP Proxy for the original destination's IP address for the gateway to reply to ARP requests sent to the original destination's IP address. Note that this does not apply to IP ranges or networks.

  8. Click Apply

After you create manual rule, it is added to the NAT rules table under the Manual NAT RulesClosed Manual configuration of NAT rules by the administrator of the Check Point Management Server. section.

To edit a rule:

Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules.

  1. Select a rule and click Edit.

  2. Edit the fields as necessary.

  3. Click Apply

To delete a rule:

  1. Select a rule and click Delete.

  2. Click Yes in the confirmation message.

To enable or disable a rule:

  1. To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.

  2. To enable a manually defined rule that you have previously disabled, select the rule and click Enable.

To change the rule order:

Note - You can only change the order of manually defined rules.

  1. Select the rule to move.

  2. Drag and drop it to the necessary position.