strange working of static nat

[sebastan_bach]

hi all i have configured automatic static nat for a internal host to a public ip address. i have also created a policy permitting traffic form external hosts to the static nat address. and it works fine .

but when i have a policy in which i am permitting traffic form external hosts to the actual internal host ip address. it still works.

i am little amazed with this kind of working. am i going wrong anywhere.

in cisco and netscreen when we map a internal host to a external ip then the host can be reached only through the external ip and not the real ip even though a policy permits it.

i feel that's the true way of statically mapping a internal host to a external host so that people cannot reach the actual host ip address.

can someone pls clarify this behaviour of checkpoint.

regards

sebastan

[coldark]

For sure this is correct operation.

If you have "routes" and "rules" which will allow connectivity between external clients and your internal network without NATing then firewall-1 is only doing what it is told - and will allow the connection.

If you only want external clients to connect to your network using the NAT that you have setup, then you should NOT configure rules that will allow access without NATing.

[sebastan_bach]

hi mate thanks a lot for ur reply. u mean to say that if i have configured static nat for a internal host and have a policy permitting from external host to actual internal host then the packet will be allowed.

can u pls confim on this mate.

thanks a lot mate for helping me out.

waiting for ur reply.

regards

sebastan

[mcnallym]

When you use Automatic NAT then the one object contains the public AND the private IP address.

As such if you take your MailServer give the object an IP of 10.10.10.10 and then automatic Static NAT to 40.40.40.40, then whereever you use the object MailServer there are actually two IP addresses included in the security policy.

From the Internet then the policy will match with the 40.40.40.40 address. Whilst from your public IP range you can access the internal 10.10.10.10 as well, that is not routable over the Internet so if someone from another public net attempted to access you as 10.10.10.10 it would not be routed to your Firewall, but get dropped as not a public IP.

As such your rules looks like

Src = Any
Dst = MailServer (10.10.10.10)(40.40.40.40)
Srv = SMTP
Action = Accept

Src = MailServer (10.10.10.10)(40.40.40.40)
Dst = Any
Srv = SMTP
Action = Accept

This is why you can use the same object for the public and private address.

The alternative is to use Manual NAT and use two objects MailServer_Internal (10.10.10.10)
MailServer_External (40.40.40.40)

Your rules would now need to be

Src = Any
Dst = MailServer_External (40.40.40.40)
Srv = SMTP

Src = MailServer_Internal (10.10.10.10)
Dst = Any
Srv = SMTP

[sebastan_bach]

hi mate thanks a lot man for ur detailed explaination.

so in this i can the server being accessed on it;s private ip from intranet and at the same time have it access on public ip from internet.

is this possible.i have also posted the same query regarding policy static nat in a another thread. if u can pls help me out with the same it would great.

waiting for ur reply.

thanks

regards

sebastan

[lammbo]

Quote:

Originally Posted by sebastan_bach

so in this i can the server being accessed on it;s private ip from intranet and at the same time have it access on public ip from internet.

As mcnallym said, yes. With a single host object using a static auto-NAT, you only need one rule with the single host object to control inbound access.

From the intranet, I would assume that you have your private IP published in DNS and the public IP in the MX record on the outside world. 1 rule fits all in this scenario and is my preferred method of deployment. After all, if you're willing to allow 'Any' as a source, then does it matter if it also covers internal users as well as external? Nope, no additional risk is involved so this is a good method.

Also as mcnallym mentioned, you always have the option to do the NAT manually as well. Be aware that if you do this on a Nokia appliance, you will need proxy ARP entries as well as the manual NAT rules. On rare occasion (with very unusual circumstances) I have had to use this method to make something work properly.

[sebastan_bach]

hi mate thanks a lot for ur reply.

in the case where i want my server to be accessible by 2 different external ip address then i would need manual nat only. cause with the auto static nat the internal host can only be mapped to a single external ip address.

thanks a lot to all ur guys for helping me out in learning checkpoint.
i am really starting to like this product.

regards

sebastan