The Security Gateway supports two types of NAT where the source and/or the destination are translated:
* Hide NAT - Hide NAT is a many-to-one relationship, where multiple computers on the internal network are represented by a sigle unique adress. This enhances security connections can only be initiated from the protected side of the Security Gateway. This type of NAT is also referred to as Dynamic NAT.
* Static NAT - Static NAT is a one-to-one relationship, where each hsot is translated to a unique address. This allows connections to be initiated internally and externally. An example would be a Web server or a mail server that needs to allow connections initiated exernally.
NAT can be configured on Check Point hosts, nodes, networks, address ranges and dynamic objects. NAT can be configured automatically or by crating manual NAT rules. Manual NAT rules offer flexibility because it can allow the translation of both the source and destination of the packet and allow the translation of services.
* Hide NAT - Hide NAT is a many-to-one relationship, where multiple computers on the internal network are represented by a sigle unique adress. This enhances security connections can only be initiated from the protected side of the Security Gateway. This type of NAT is also referred to as Dynamic NAT.
* Static NAT - Static NAT is a one-to-one relationship, where each hsot is translated to a unique address. This allows connections to be initiated internally and externally. An example would be a Web server or a mail server that needs to allow connections initiated exernally.
NAT can be configured on Check Point hosts, nodes, networks, address ranges and dynamic objects. NAT can be configured automatically or by crating manual NAT rules. Manual NAT rules offer flexibility because it can allow the translation of both the source and destination of the packet and allow the translation of services.
Currently the inside PC (SmartConsole) with IP 10.1.1.50 can’t go
out to outside network (the Internet).
There are default NAT rules for VPN policy (to be discussed
further on VPN topics). To configure Hide NAT (PAT or NAT overload in Cisco), just
select the NAT tab, under Values for Address translation tick Add Automatic
Address Translation, choose Hide and Hide behind Gateway (the outside IP of
192.168.1.111) under the Translation method.
NAT rule #3 specifies not to translate HQ-Inside IP subnet
(10.1.1.0/24) when going to its own IP subnet.
NAT rule #4 specifies to perform Hide NAT (indicated by H)
using the Security Gateway’s outside IP 192.168.1.111 when the source IP subnet
is from 10.1.1.10/24 going to Any destination.
Also make sure there's a policy
to allow inside users going out to Any destinations and this is specified
in firewall policy rule #3.
Save and push the policy to the Security Gateway by
clicking the Install Policy icon. You would need to de-select Desktop Security
since there’s no policy created for it and will show up as Installation ended
with errors.
Verify by pinging from our inside PC 10.1.1.50 to
R1’s outside IP 192.168.1.1 and Google DNS IP 8.8.8.8. You could also verify by going to
SmartView Tracker under the SmartConsole drop-down selection.
The latest logs are at the very bottom and just click the
arrow down (Go to Bottom) icon. Double-click to get a detailed log info.
Create a static NAT rule for the
inside PC 10.1.1.50 (Windows7-PC network object) and map it to 192.168.1.50. You
also create a policy rule (rule #4 above the Cleanup rule) to allow HTTP (TCP
80) from Any destination (in this case the outside network) towards 10.1.1.50. Save and install the policy afterwards.
To verify, do a test by opening the web TCP port 80 from a
host on the outside network (in this case R1). You could also verify by using SmartView
Tracker.
I also tried to open Check Point’s website from inside PC
10.1.1.50 and verified the log in SmartView Tracker.
No comments:
Post a Comment