CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 11 of 11

Thread: What is the different between static and hide mode?

  1. #1
    Join Date
    2012-12-28
    Posts
    31
    Rep Power
    0

    Default What is the different between static and hide mode?

    Hi Everybody,

    how can me explain the different between Static and Hide NAT mode on Checkpoint Firewall?

    Thank you in advance.

    BR
    ABC

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by abc150781 View Post
    Hi Everybody,

    how can me explain the different between Static and Hide NAT mode on Checkpoint Firewall?

    Thank you in advance.

    BR
    ABC
    Static NAT is a one-to-one translation, 1 inside address and 1 outside address. Pretty much all firewall vendors use the term "Static" to describe a 1-to-1 NAT. Hide NAT is a many-to-one translation, many internal addresses to 1 outside address. Terms other vendors use to describe Hide NAT are: Port Address Translation (PAT), global, overload, IP & Port, and MIP. Starting in R75 it is possible to do a "many-to-fewer" manual Hide NAT rule where you take a large internal network and hide it behind a smaller outside network object or IP range. This many-to-fewer approach is handy for increasing the concurrent number of connections beyond the 50k limit per outside address, as an example if the "fewer" side is a block of 4 addresses then 200k concurrent connections can run through that NAT.

  3. #3
    Join Date
    2012-12-28
    Posts
    31
    Rep Power
    0

    Default Re: What is the different between static and hide mode?

    Is one of these NAT mode also allow stateful NAT.
    What I mean is, is it possible to great only one NAT Rule that's allows to do a translation incoming and outgoing?
    I thought this is possible with static NAT... Maybe I'm wrong!

    BR
    ABC

  4. #4
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    8

    Default Re: What is the different between static and hide mode?

    NAT has always to be specified per direction in the sense of connection establishment.
    Static NAT is, as said before, a 1:1 translation. If the connection establishment is bi-directional (both the inside and outside system may send the first SYN packet) then you need 2 NAT rules.
    If the connections is started only from inside, then you need just one static NAT rule. In other words, the return packets do not need a separate NAT rule

    Hide mode NAT (or PAT for Cisco freaks) is unidirectional per se, meaning the connection can be established only from one side. And there again, the return packets are handled automatically as well, no additional Nat rule needed. Hide mode does modify the source port of each connection and is then aware of how to map the return packets to the correct original source IP address. For that reason, some dumb appliacations who rely on the source port will fail with hide mode NAT.

    HTH

  5. #5
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by ShadowPeak.com View Post
    Starting in R75 it is possible to do a "many-to-fewer" manual Hide NAT rule where you take a large internal network and hide it behind a smaller outside network object or IP range. This many-to-fewer approach is handy for increasing the concurrent number of connections beyond the 50k limit per outside address, as an example if the "fewer" side is a block of 4 addresses then 200k concurrent connections can run through that NAT.

    Can this be done on NGx R71.30 Security Gateway from a R75.46 Management Server? To be precised, will it work on the security gateway R71.30 managed by a R75.46 Management Server?

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by cciesec2006 View Post
    Can this be done on NGx R71.30 Security Gateway from a R75.46 Management Server? To be precised, will it work on the security gateway R71.30 managed by a R75.46 Management Server?
    I've never tried it on a gateway prior to R75, my guess would be no. I do remember trying a many-to-fewer NAT on a R71.30 Mgmt Server and R71.30 Gateway and the NAT policy failed verification.

  7. #7
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by ShadowPeak.com View Post
    I've never tried it on a gateway prior to R75, my guess would be no. I do remember trying a many-to-fewer NAT on a R71.30 Mgmt Server and R71.30 Gateway and the NAT policy failed verification.
    I guess checkpoint has finally done what Cisco has been able to accomplished at least ten years ago :-)

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by cciesec2006 View Post
    I guess checkpoint has finally done what Cisco has been able to accomplished at least ten years ago :-)
    Actually the "many to fewer NAT" feature has been in the Check Point code since at least R70, if my memory is correct.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2016-09-22
    Posts
    1
    Rep Power
    0

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by abc150781 View Post
    Hi Everybody,

    how can me explain the different between Static and Hide NAT mode on Checkpoint Firewall?

    Thank you in advance.

    BR
    ABC
    Hi

    I have published a post in my blog SomoIT.net that could help you:
    Checkpoint Hide NAT vs Static NAT

    Thanks!

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,650
    Rep Power
    10

    Default Re: What is the different between static and hide mode?

    Quote Originally Posted by SomoIT.net View Post
    Hi

    I have published a post in my blog SomoIT.net that could help you:
    Checkpoint Hide NAT vs Static NAT

    Thanks!
    Look out Coral! WALKERS!

  11. #11
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: What is the different between static and hide mode?

    Click image for larger version. 

Name:	coral.jpg 
Views:	274 
Size:	11.2 KB 
ID:	1160

Similar Threads

  1. Hide NAT and Static NAT
    By Perks in forum NAT (Network Address Translation)
    Replies: 2
    Last Post: 2012-07-21, 14:31
  2. static/hide NAT : nothing seen in logs
    By Bibelo in forum NAT (Network Address Translation)
    Replies: 4
    Last Post: 2011-03-08, 10:28
  3. Maximum hide/static NAT in NGx R61
    By cciesec2006 in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2008-06-30, 13:02
  4. Static & Hide NAT Question
    By jmillercw in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2007-11-01, 06:52
  5. NAT with cluster-Host without Hide mode
    By sbertrand in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2006-03-14, 22:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •