8. Check Point Getting Started R80.20. NAT

Welcome to the 8th lesson. The lesson is very important, because Upon its completion, you can already set up Internet access for your users! It must be admitted that many of us are setting this up :) But we are not one of them! And we still have a lot of interesting things ahead. And now to the topic of our lesson.

As you may have guessed, we will talk today about NAT. I am sure that everyone who watches this lesson knows what NAT is. Therefore, we will not describe in detail how it works. I will only repeat once again that NAT is an address translation technology that was designed to save “whites”, i.e. public ip-Schnick (those addresses that are routed on the Internet).
')
In the previous lesson, you probably already noticed that NAT is part of the Access Control policy. This is very logical. In SmartConsole, the NAT settings are moved to a separate tab. Today we will definitely go there. In general, in this lesson we will discuss the types of NAT, configure the Internet access and consider the classic example of port forwarding. Those. the functionality that is most often used in companies. Let's get started

Two ways to configure NAT

Check Point supports two ways to configure NAT: Automatic NAT and Manual NAT . In addition, for each of these methods, there are two types of translation: Hide NAT and Static NAT . In general, it looks like this image:



I understand that most likely now everything looks very difficult, so let's look at each type in a little more detail.

Automatic NAT

This is the fastest and easiest way. NAT setup is done in just two clicks. All you need to do is open the properties of the desired object (be it gateway, network, host, etc.), go to the NAT tab and tick the “ Add automatic address translation translation ” checkbox. Here you will see the field - the translation method. There are two of them, as mentioned above.

1. Aitomatic Hide NAT

By default, this is Hide. Those. in this case, our network will “hide” behind some public ip-address. In this case, the address can be taken from the external interface of the gateway, or you can specify some other one. This type of NAT is often called dynamic or many-to-one , since several internal addresses are translated into one external. Naturally this is possible through the use of different ports in the broadcast. Hide NAT works only in one direction (from the inside out) and is ideal for local networks when you just need to provide access to the Internet. If the traffic will be initiated from the external network, then NAT naturally will not work. It turns out as if additional protection of internal networks.

2. Automatic Static NAT

Hide NAT is good for everyone, but maybe you need to provide access from an external network to some internal server. For example, to a DMZ server, as in our example. In this case, Static NAT can help us. It is also quite simple to configure. It is enough to change the translation method to Static in the object properties and specify the public IP address that will be used for NAT (see the picture above). Those. if someone from the external network addresses this address (on any port!), then the request will be sent to the server with an internal ip address. Moreover, if the server itself will go to the Internet, then its ip-person will also change to the address specified by us. Those. This is NAT in both directions. It is also called one-to-one and is sometimes used for public servers. Why “sometimes”? Because it has one big drawback - the public ip-address is fully engaged (all ports). You can not use the same public address for different internal servers (with different ports). For example HTTP, FTP, SSH, SMTP, etc. Manual NAT can solve this problem.

Manual NAT

The feature of Manual NAT is that you must create your own translation rules. In the same NAT tab in the Access Control Policy. Manual NAT allows you to create more complex translation rules. The following fields are available to you: Original Source, Original Destination, Original Services, Translated Source, Translated Destination, Translated Services.



There are also two possible types of NAT - Hide and Static.

1. Manual Hide NAT

Hide NAT in this case can be used in different situations. A couple of examples:

1. When accessing a specific resource from a local network, you want to use a different address for translation (other than the one used for all other cases).
2. In the local network a huge number of computers. Automatic Hide NAT is not suitable here, because With this configuration, it is possible to set only one public IP address, behind which computers will “hide”. Ports for broadcast may simply not be enough. They are, as you remember, a little more than 65 thousand. In addition, each computer can generate hundreds of sessions. Manual Hide NAT allows you to set a pool of public ip-addresses in the Translated Source field. Thereby increasing the number of possible NAT-broadcasts.

2. Manual Static NAT

Static NAT is used much more often when manually creating translation rules. A classic example is port forwarding. The case when an external network is addressed to a public IP address (which may belong to a gateway) on a specific port and the request is transmitted to an internal resource. In our lab, we will forward port 80 to the DMZ server.

Video lesson

Stay tuned for more and join our YouTube channel :)