You are on page 1of 2

Support, Support Requests, Training, Documentation, and Knowledge ... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/...

Solution ID: sk30557 2/3/2015

Configuring NAT

Product: Security Gateway


Version: All
Last Modified: 13-feb-2014

Solution

Defining Network Address Translation (NAT) via the network object


automatically adds Rules to the Network Translation Rule Base. The Translation
method can be either "Hide" or "Static".

The Global Properties section for NAT contains an option called "Automatic ARP
configuration". Automatic ARP configuration ensures that ARP requests for a
translated (NATed) machine, network or address range are answered by the
Security Gateway. You no longer have to manually add a route on a Security
Gateway to ensure proper routing of Static NAT devices. In addition, there is no
longer a need for Manual ARP configuration via the$FWDIR/conf/local.arp file
on the Security Gateway (details are in sk30197).

Configuring Hide NAT

In Hide NAT, a single public address is used to represent multiple computers on


the internal network with private addresses (many-to-one relation). Hide NAT
allows connections to be initiated only from the protected side of the Security
Gateway that is protecting this object (Check Point, or Externally Managed
Gateway or Host, Gateway node, or Host node).

Enabling Hide NAT on the network object will add the appropriate rule to the
NAT Rule Base. Perform the following steps to enable Hide NAT for your internal
network:

1. Login to SmartDashboard.
2. Create the network object for the internal network.
3. Define the following fields:
Name
Network Address
Net Mask
Comments
Color
4. Select the NAT tab, and enable the option "Add Automatic Address
Translation rules".
5. Select the Translation method "Hide".
6. Select "Hide behind gateway". This NAT configuration hides the real
address behind the IP address of the Security Gateway interface, through
which the packet is routed out.
7. Click 'OK'.
8. Install the Security Policy onto the Gateway that will perform the NAT.

Configuring Static NAT

In Static NAT, each private address is translated to a corresponding public


address (one-to-one relation). Static NAT allows machines on both sides of
the Security Gateway, protecting this object (Check Point, or Externally
Managed Gateway or Host, Gateway node, or Host node), to initiate
connections, so that, for example, internal servers can be made available
externally.

Static NAT is used for Web, e-mail, and other application servers that require
routable public IP addresses. These servers will be routable to the Internet, but
will also retain their internal IP addresses for internal access.

Perform the following steps to enable Static NAT for your Web or email server:

1. Login to SmartDashboard.
2. Create a Host Node object for the server.
3. Define the following fields:
Name
Real IP address
Comment
Color
4. Select the NAT tab, and enable "Add Automatic Address Translation rules".
5. Select the Translation method "Static".
6. Enter the desired public IP address in the "Translate to IP address" field.
The Translate to IP Address value for Static NAT is a virtual IP address,
which is a public (routable) IP address that does not belong to any real
machine.
7. Click 'OK'.
8. Install the Security Policy onto the Gateway that will perform the NAT.

1 di 2 03/02/2015 15:21
Support, Support Requests, Training, Documentation, and Knowledge ... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/...

For more detailed information, refer to Firewall R77 Administration Guide

2 di 2 03/02/2015 15:21

You might also like