NAT General Question

[clarkeyi]

Hello
I have a question on NAT - I have a web server in my DMZ (172.16.0.25) and use a Nokia firewall. If I want incoming NAT to this server do I need to get the mac address of my external firewall interface and create an arp entry in voyager referencing the mac address and nat'd ip address.
Then do I have to also add athe command set staticroute 89.x.x.x/32 nexthop gateway address q72.16.0.25 priority 1 on....and then also create nat'd hosts in my checkpoint firewall hosts within the smartcenter server. Does this sound correct steps as it seems longwinded to create manual static entry.

Thanks

[RayPesek]

Try going to the NAT tab on the web server object, setting Static and entering in the public IP address and selecting the Install On to the firewall. Then install the policy.

That will create an automatic proxy ARP entry on a Nokia as well. The route should be there already since it presumably is on a directly connected interface.

Ray

[MarioL]

Clark, what you described is the "old" way of doing NAT, from before the "Translate on client side" and "Automatic ARP configuration" options.

Unless you are using a really old version, up to v4.1 if memory serves, you will only need to do what Ray described.

If you have issues, go on "Policy->Global Properties" on the NAT tab and check if the options mentioned above are ticked.

[antonyso88]

I have a similar question. If i use manual destination NAT, is it still need to add route and arp mac address? I am using R61.

[kva.kva]

If you use manual NAT you need add arp entries.
Good doc - Firewall and SmartDefense User Guide R61 -> Network Address Translation (NAT) -> Check Point Solution for Network Address Translation

[antonyso88]

Thx a lot!