NAT

Concept

NAT works the same on the Firewall/Security Gateway the same way it works with modern Routers. It uses Connection Tracking to track which conversation belongs to which device. It takes the private IP and translates it to the configured Public IP; when it receives a reply back it will check its Connection Tracking table and translate the reply back to the private IP and forward the packet.

Check Point NAT

NAT Types

NAT Rules

• Automatic NAT Rules

  • The Security Gateway will automatically create NAT rules based off the object's properties

• Manual NAT Rules

  • Specified IP addresses (dst & src) or services (ports)

  • Static NAT in only one direction

  • Translation of source and destination IP addresses in the same packet

  • Translation of services (dst ports)

  • Translation of IP addresses and dynamic objects

NAT Rule Enforcement

• Automatic

  • Two automatic NAT rules that matcha connection can be enforced

    • One rule for the source

      • One rule for the destination

• Manual

  • The first manual NAT rule that matches a connection is enforced. It will skip the others after

Proxy Arp

This is a technique by which a proxy server on a given network answers the ARP queries for an IP address that is not on that network

The proxy is aware of the location of the traffic destination and offers its own MAC as the destination. The traffic directed to the proxy address is typically routed to the intended destination using another interface or tunnel

Practice Questions