Automatic NAT Rules

Previous page
Table of content
Next page

In additional to creating translation rules manually, FW-1 gives you the ability to generate these rules automatically. Generating automatic translation rules saves you time, and reduces the opportunity for error. You can create both hide-mode and static-mode translation rules automatically. Manually defined NAT rules can be more efficient, but Automatic NAT rules are easier for novice users and are typically used for simplicity when possible.

Automatic Hide

As above, we will use the example of configuring hide-mode translation to hide your LAN network, 172.17.3.0/24, behind one routable address. To configure automatic hide-mode translation, open the SmartDashboard and select Manage Network Objects . Edit the properties of LAN and select the NAT tab, as shown in Figure 5.9.

click to expand
Figure 5.9: NAT Tab of Network Object

Select Add Automatic Address Translation Rules . Select Hide from the Translation Mode drop-down list. To specify a routable IP address to hide the network, enter the address in the Hide behind IP Address field (enter 0.0.0.0 to configure the firewall to use its external IP address). Alternatively, you can use the external IP address of the gateway by selecting the Hide behind Gateway option. Use the Install On drop-down list to specify the firewalls that will require this rule, or select All to apply this rule to all existing firewalls.

Click OK . FW-1 will automatically generate the required rules for this hide-mode translation. See Figure 5.10.

click to expand
Figure 5.10: NAT Rule Base with Generated Rules

Rules 1 and 2 above have been generated by the LAN object s automatic translation settings. Rule 1 ensures that traffic traveling within LAN will not be affected by translation; this traffic does not require translation since it is not leaving your network. Rule 2 resembles the manual translation rule we created earlier. It translates all traffic originating on your network into the routable IP address you specified, and then translates the destination of incoming packets back into their original addresses.

The final step to activating hide-mode translation is to ensure that your general rule base will allow traffic to flow as expected. These are the same rules you created when you configured manual hide-mode translation.

Automatic Static

Configuring static rules automatically is similar to creating hide-mode rules automatically. In this example, we will again be configuring translation to allow Web_Server to be accessed from the Internet.

To configure automatic static-mode translation, open SmartDashboard and go to the properties of the object you are configuring, in this case Web_Server . See Figure 5.11.

click to expand
Figure 5.11: NAT Tab of Web Server

Access the NAT tab and enable Add Automatic Address Translation rules . Select Static from the Translation Method drop-down list, and for Valid

IP Address, enter the routable IP address you are going to use in this case. The Install On field should include the firewalls for which this rule is appropriate, or be set to All .

Click OK . FW-1 will automatically generate the required rules for this static-mode translation. See rules 1 and 2 in Figure 5.12.

click to expand
Figure 5.12: Generated Address Translation Rules

Here, rules 1 and 2 have been generated by the Web_Server automatic translation settings. These rules will resemble the static source and static destination rules we created earlier. Rule 1 translates traffic originating from the Web server to the routable IP address, and rule 2 translates incoming traffic from valid, routable address back to the internal address for incoming traffic.

Again, the final step is to ensure that your general rule base will allow traffic to flow to and from the Web server. These are the same rules you created when you configured manual static-mode translation.

Routing and ARP

With automatic NAT, you also need to keep routing and ARP issues in mind. The procedures for ensuring packets reach their intended destination are the same as with manual NAT.

If there is a router or multiple routers on your internal network and you are using reserved address space, you need to ensure that static routes (and default routes) exist on the router, or that dynamic routing protocols are configured correctly, so that packets will reach the firewall. For static source and hide-mode NAT, you must ensure that proper ARP entries exist on the firewall for the hiding or static source address. If you have upgraded to NG from a prior version of FW-1, then for static destination you need to add a static host route on the firewall to direct the traffic out the proper interface, since routing will take place before NAT.

You can configure individual ARP and routing tasks using the same techniques that you use when you configure NAT manually. Alternatively, you can configure ARP and routing tasks by enabling some of the options available in the NAT Global Properties, which we will talk about next .



Previous page
Table of content
Next page
Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149
BUY ON AMAZON
CISSP Exam Cram 2
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Ruby Cookbook (Cookbooks (OReilly))
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy