Is NAT must in Checkpoint

[avilT]

I have the following lab setup

(PCA)10.0.0.1----10.0.0.2<FW1>72.16.0.1----172.16.0.1(PCB)

Access rule allowing PING from PC to PC but no nat rules defined.

I can Ping 172.16.0.1 from 10.0.0.1 and vice versa.

What is the default behaviour of checkpoint for allowing access. Is just access rules are enough to grant access without the NAT rules?

Thanks
Av

[RayPesek]

When you look on the Network Address Translation tab, what rules are there?

How is your ping rule defined specifically?

Are either the 10.0.0.2 or 172.16.0.1 interfaces defined as "external" on the topology tab?

Ray

[chillyjim]

Quote:

Originally Posted by avilT

What is the default behaviour of checkpoint for allowing access. Is just access rules are enough to grant access without the NAT rules?

FireWall-1 does not require you to use NAT. If you are not using NAT your internal addresses must be routable to and from where you are trying to connect to.

[avilT]

Yes, I have defined access rules allowing PING but under the NAT section there are no rules. I have defined one network as internal and another as external.

[chillyjim]

If the logs show he packets being accepted by the firewall, start looking for routing issues.

Make sure the gateway can ping the host you're trying to get to.

[avilT]

I have no routing issues. I am able to PING. My query is whether the checkpoint firewall can pass traffic without NAT? I am asking this because the Cisco PIX firewall will not allow the pcakets without the NAT rule.

[_d3nx]

CheckPoint can pass traffic without NAT. NAT is only needed when you need to access to internet from private or non-routable IP networks. for more you should check Firewall and Smartdefense document.

Many computers in an organization have private, non-routable IP addresses, but nevertheless require access to the Internet. In most cases it is impossible to simply give them Internet-routable IP addresses, due to the lack of available public IP addresses, and administrative constraints.
IPv4 (the current version of IP) provides only 32 bits of address space, so available IP addresses are becoming scarce, most having already been assigned. Internet Service Providers will usually allocate only one or a few addresses at a time. Larger companies may purchase several addresses for use, but purchasing addresses for every computer on the network is usually impossible.

Even if public IP addresses become available, changing the addresses of every machine in a large network can be an administrative nightmare, being both labor intensive and time consuming.

[Reaper]

I have seen setup where on both sides of Cisco PIX firewall there are public IP networks... So NAT is not needed

[abner78br]

I would say that NAT is not a MUST. Only a NEED.

Doesn't matter which firewall is in the middle of the networks you need protection from/to.

Abner

[NickBrandson]

Yes, NAT is not a "MUST" only used as required.

As long as both target machine and source machine can route the traffic/packets back to the Gateway, i.e. both default gateway of two testing machines are pointed to the firewall in your testing environment, and the Gateway have the "state" information of the "request" packet and it can be routed back to the source. That's the concept of "Stateful Inspection Firewall".