qestion for exam: Bidirectional NAT theory

[Sergej]

Hi, I'm studing for recertification. Colege pass me that there are a lot of misterious qestions about NAT. I want to be cool in CheckPoint NAT aspects and terminology. I'm using oficial courseware (b.llsh.t) + Help files (I prefere .hlp files, becouse they are the same as PDF but easy navigation and better screenshots).

Here is a qestions about Manual vs Automatic NAT.

Accoding to "Check Point Solution for Network Address Translation" > "Bidirectional NAT" it is possible to mach and translate bouth sourse and destination addreses with automalic rures:

With Bidirectional NAT, both automatic NAT rules are applied, and both objects will be translated, so connections between the two objects will be allowed in both directions.

The detailed logic of Bidirectional NAT is as follows:

If the first match on a connection is on an Automatic NAT rule, then the rest of the NAT Rule Base is checked, one rule at a time, to see if another Automatic NAT Rule matches the connection. If it does, both rules are matched, and no further checking is performed.

According to "Planning Considerations for NAT" > "Automatic Versus Manual Rules" translation of bouth source and destination addreses are exclusive feature of Manual NAT:

The following can only be done using Manual NAT Rules:

Translating both source and destination IP addresses in the same packet.

There are two conflcting statemlents. Which one is correct?

[jsond]

I would think it is Automatic NAT rules.

The setting to allow bi-directional NAT is under the Automatic NAT rules section in the NAT tab of global properties. Under the manual NAT section it does not have any option for bidirectional NAT rules. The Syngress configuring Checkpoint NGX states the following:

"..In essence, the bidirectional NAT lets a connection match 2 NAT rules. Normally the NAT rule base only permits one match and then subsequently exits the process. In the case of bidirectional NAT, if the source match is an Automatic NAT rule, the gateway continues to traverse the NAT rules to identify if there is a destination rule match. If the gateway finds a second match, it applies both NAT rules to the connection so that the packet it routed properly between source and destination."

"If bidirectional NAT is enabled, improperly placed manual rules may negate such connections. If a manual NAT matches a connection, it will exit the NAT rule base immediately. Only when the first match is an automatic NAT does the gateway continue to inspect the remainder of the rule base for the subsequent match."


Again, I do not have a ton of experience with checkpoint and even less with NAT. This is just the way it was written in the NAT chapter of the book I am studying with, and is similar to the 1st explanation in your post. So this could be incorrect but thought it might help.