When to NAT, When not to NAT?

[BirdDog]

Hello -

Entering into an existing configuration and system.

I have 3 interfaces, Inside, DMZ and Outside. Right now, everything is working. I have one subnet on the Insidse. A Network object has been created, with NAT settings of "Add Automatic Address Translation rules", Translation method = Hide, hide behind Gateway.

I need to create a new subnet on the inside...this subnet will get to the Inside interface via route, no sub interfaces on the Inside, just the same way it is.

For this new network object subnet that I will create, I just replicate the same as above? Do I need to do anything in the Address Translation tab? When/why would one Hide behind IP Address?

thanks...BirdDog.

[gavvys]

Hi
Well NATTING all depends on the topology that you have.If your new network is behind some L-3 switch or VLAN then you need not to have any NATTING, you just need to enter that subnet in the Anti-Spoofing and put the route for that subnet on the gateway if subnet is coming through some route.
Now regarding the question When to NAT and When not to NAT the answer is that if your private network has been NATted by some device then wht is the need to do it again and again.

If you need any more help please clear your network topology a bit more to me so that I can give you that exact resolution.

Regards
Ranjit

[BirdDog]

Oh...seems much simpler...I read the Checkpoint chapter on NAT last night and now got a good undersating of NAT'ing with static vs Automatic.

I have a layer 3 switch and but will soon be doing VLAN'ing. So I plan to create a few VLAN's that will L3 to the switch then def route, next hop to the FW inside IP. So, in this case, for example, VLAN 2 = 10.10.0.0 hits the default route which is 192.168.10.1. So, I don't need to add a NAT, I can just add to spoofing. Just to know, what would hapeen if I also did add this new Lan segment to Auto NAT, hide behind gateway?

Thanks...BirdDog

[mcnallym]

If you don't add a hide nat for the intenal networks then they will not be able to access the Internet as would remain on the private non-routable addresses.

[MarioL]

The easiest way to manage things when you have several internal networks is to create a group and add all the network objects in there. You can then use that group on the anti-spoofing configuration and also to create a manual hide NAT rule.

This assumes that you want your internal networks to access the internet. In some configurations, you might not need to NAT them, but not many people go that route.