CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > NAT (Network Address Translation)
Reload this Page uni-directional nature of hide nat
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2008-04-15
sebastan_bach sebastan_bach is offline
Senior Member
  
Join Date: 2005-10-12
Posts: 254
Rep Power: 3
sebastan_bach has an average reputation (10+)
Send a message via Yahoo to sebastan_bach
Default uni-directional nature of hide nat
hi all i have confiured hide nat on the network object to hide behind the gateway.

i have policies and all.

i have also put put a policy to permit from external network to internal network.

now i am trying to access the internal host on it;s actual ip address and it;s working.

is natting uni-directional in checkpoint.

cause in cisco or netscreen when we configure dynamic nat for internal hosts then from external networks u cannot reach the internal hosts on their actual addresses even though a policy permit it.

is this the way checkpoint dynamic natting works.

can someone pls confirm on this.

regards

sebastan
Reply With Quote
  #2 (permalink)  
Old 2008-04-15
chillyjim chillyjim is offline
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,598
Rep Power: 4
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: uni-directional nature of hide nat
If the policy permits and the real IP address of the host is routeable, then this will work. It's really silly to "hide" a routeable IP address that you are allowing external connections to.

Hide NAT's are uni-directional in origination (Host outbound) static, or one-to-one NATs are by-directional in origination.

So, of my.host has IPA and a hide address of IPh

my.host connects to ftp.site the connection and return path will be on IPh

If outside.site tries to start a connection to IPh it will fail (This is the point of a stateful firewall)

Now if IPA is a routeable address and the policy permits, outside.site can connect to IPA.

If my.host is a static nat (The normal way of doing this) of IPA' then a connection to or from (Assuming policy allows) my.host is possible on IPA'

As for the PIX, before version 7, all connections were NATed. In some cases they were NATed to the same address (e.g. 4.2.2.2 inside 4.2.2.2 outside). This is a rement of the PIXes original function, to provide NAT.

If configured "correctly" you can achieve the same hide-outbound and don't translate-inbound on the PIX and ASA that you describe.

The real question is, what are you trying to accomplish?
Reply With Quote
  #3 (permalink)  
Old 2008-04-16
sebastan_bach sebastan_bach is offline
Senior Member
  
Join Date: 2005-10-12
Posts: 254
Rep Power: 3
sebastan_bach has an average reputation (10+)
Send a message via Yahoo to sebastan_bach
Default Re: uni-directional nature of hide nat
hi jim thanks a lot for ur reply mate. i am not trying to accomplish anything . i have just started working with checkpoint. i have been only working on cisco for a long time . so was asking out whether i am getting it right the working of nat on checkpoint.

thanks for ur reply.

regards

sebastan
Reply With Quote
  #4 (permalink)  
Old 2008-04-16
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 857
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: uni-directional nature of hide nat
If the policy permits access to your internal network from the external network, and you actually have a route from the external network to the internal network then yes you can access the internal network from the internal network. As you are going to the actual IP of the internal box then you are not Natting when you do this.

Check Point has no concept of internal, external, or security level on the interfaces like Cisco does, which is why can do this on a Check Point, if the policy permits.

Remember however that normally from the Internet there will be no route to your private internal network, so isn't a real issue as normally you would not have a policy from external to internal network.
Reply With Quote
  #5 (permalink)  
Old 2008-04-16
sebastan_bach sebastan_bach is offline
Senior Member
  
Join Date: 2005-10-12
Posts: 254
Rep Power: 3
sebastan_bach has an average reputation (10+)
Send a message via Yahoo to sebastan_bach
Default Re: uni-directional nature of hide nat
hi mate yeah u are right. the external router never has a route for ur internal network.

i got the point.

thanks

regards

sebastan
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 09:50.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0