In this article, we will guide you about types of NAT (Network Address Translation) on Check Point firewall devices.
– NAT is part of Access Control policy.
– Check point has 2 ways to set up NAT: Automatic NAT and Manual NATeach way allows configuration in two types of NAT: Hide NAT and Static NAT.
– Hide NAT : convert multiple internal addresses into a single IP (many to one translation) Allows internal machines to connect to the outside network. Outside of our security gateway, these connections will appear to originate from a single IP. Security Gateway will change both the IP address and source port on outgoing packets. On the return traffic direction, the destination IP address and port will be converted to their original values so that the packet can reach the client. This type of NAT does not allow internal access from the external network.
– Static NAT : perform one to one translation. Static NAT is often used to access the DMZ from the internet.
1.Automatic NAT: Simple configuration style, NAT parameters are configured on the object requiring Network Address Translation. You need to open the object and set parameters in the NAT tab.
– To configure Automatic NAT for LanNetwork object. In SmartConsole, double-click on it and go to the NAT tab.
– Mark check “Add automatic address translation rules”.
– Translation menu has two options: Hide (default) or Static. Select Hide and OK.
– Go Security Policies > Access Control > NAT to see the Automatic NAT rule that has been automatically created.
– Similarly, we can create Automatic NAT for DMZ-Srv object.
– The above configuration allows the Server to go to the internet but does not allow hosts on the internet to connect to the Server. If we want the DMZ server to be accessible from the outside network on all services, we can create automatic static NAT. If we only want to allow some specified services like HTTP… we have to configure Port Address Translation (port forwarding), using manual NAT rules.
2.Manual NAT : needs to be set up in the NAT Policy rulebase
– In our example, if we only want to allow external networks to access the DMZ server via HTTP.
– Review the example model:
– To allow HTTP access to the DMZ server, we do the following:
– Create a new host object with the external IP address of Security Gateway
– Next create manual static NAT rulego Security Policies > Access Control > NAT and add a new rule above the top.
– Manual NAT allows creating more complex rules for Network Address Translation. Includes the following fields:
- Original Source
- Original Destination
- Original Service
- Translated Source
- Translated Destination
- Translated Services
– Static or Hide NAT can be selected, to select the desired NAT type, right-click on Translated Source / Translated Destination and select Static or Hide.
– Create manual NAT rule according to the table below:
- Original Source: Any
- Original Destination: PublicIP (the object we have just created)
- Original Services: http
- Translated Source: Original (we are leaving Source IP address as is)
- Translated Destination: DMZ-Srv (Translated Destination should be our Windows Sever)
Important: Use Static Nat Method here- Translated Services: Original (Destination port stays unchanged)
– Letter “S” Next to Translated Destination is the Static NAT icon
– Finally, we will create an access rule that allows access to the DMZ server via HTTP service. Go to Security Policy Rulebase and add a rule named DMZ-Srv Access at the top of the list with the following parameters:
- Name: DMZ-Srv Access
- Source: Any
- Destination: PublicIP
- Services & Applications: http
- Action: Accept
- Tracks: Log
– Install Policy.
– Then select only Access Control policy and install.
– After policy installation is complete, we can access the internet from the Internal Network and Port Forwarding allows HTTP access to DMZ-Srv from the external network.
!!! Thank you for following the article!!!
Xem tiếp...