PDA

View Full Version : Automatic Static NAT Question



eew2000
2011-05-09, 15:32
Hi guys,
I am going to attend the exam this Tuesday.
I am a little bit confused with this question:

Which answers are TRUE? Automatic Static NAT CANNOT be used when:
i) NAT decision is based on the destination port
ii) Source and Destination IP both have to be translated
iii) The NAT rule should only be installed on a dedicated Gateway only
iv) NAT should be performed on the server side
A.(i), (ii), and (iii)
B.(i), and (ii)
C.ii) and (iv)
D.only (i)

The answer in the official CheckPoint CCSA R71 Practice Exam is D
In the P4S is the right answer A
In my opinion, the answer should be B.
What do you guys think about the right answer?
Thanks for any help in advance.

eew2000
2011-05-09, 15:37
the answer A should be wrong because of iii) - the rule can be installed both on a dedicated firewall and on all firewalls

but i) and ii) seem to be right

alienbaby
2011-05-09, 15:58
i) NAT decision is based on the destination port

Automatic NAT cannot Act on the ports involved.

ii) Source and Destination IP both have to be translated

Check your general properties / NAT. Automatic NAT can combine two different automatic NAT rules when one is translating source and the other is translating destination.

iii) The NAT rule should only be installed on a dedicated Gateway only

When you define automatic NAT on an object, you're given a pull down menu choice for which firewall/cluster this NAT is to be performed.

iv) NAT should be performed on the server side

Although I only do client side; Automatic NAT can be done on the server side. It just requires you to put in a route for each NAT.

Answer: D

PhoneBoy
2011-05-09, 16:04
Here's why D is correct:

i) NAT decision is based on the destination port -- Automatic NAT rules do not discuss ports at all. FALSE

ii) Source and Destination IP both have to be translated -- This is accomplished by the "allow bi-directional NAT" checkbox in Global Properties which allows two automatic NAT rules to be matched. TRUE

iii) The NAT rule should only be installed on a dedicated Gateway only -- The NAT tab of a network object specifies gateway(s) to install the automatic rule on. TRUE

iv) NAT should be performed on the server side -- There is a Translate Destination on Client side checkbox in Global Properties for this. TRUE

SmashySmashy
2011-05-09, 17:12
I saw this question on one of the Check Point practice exams. It also had the correct answer as D.

eew2000
2011-05-10, 14:07
hi guys
thank you very much!