Checkpoint Firewall – Static Network Address Translation (NAT) How To

Over the last 6 months I have been taking on a greater role with our networks at work and as such have fairly good exposure to administering CheckPoint based security devices, more specifically CheckPoint Firewall-1 NGX R65 and CheckPoint SmartCenter on SecurePlatform.

We have recently installed new Polycom HDX video conferencing units and needed to allow the internal IP’s of those video conferences to NAT through our firewall out to public IPs for external calls. The way this is achieved is through Network Address Translation (NAT) through host objects in your checkpoint database which are then applied to a Firewall-1 appliance.

How do you do this? Easy. There are two translation methods supported from a host point of view, static or hide.

Once I had determined which public IP addresses I wanted to use for each video conference, I was able to sort out the NAT for each video conference unit by:

  1. Create a host object for the VC (eg. BoardroomVC) and add the correct internal IP
  2. (optional) – add each new host to a group called ‘video conference units’, useful to group all VC’s for use in firewall rulebase
  3. Right-Click a host and click properties
  4. Click ‘NAT’ on the left hand side
  5. Check the box ‘Add Automatic Address Translation rules’
  6. Select Translation Method = Static
  7. Enter the public IP address you wish to NAT the internal IP of the host to an external IP
  8. (optional) – select which gateway this NAT will work with, otherwise leave ‘All’ selected to install to all gateways managed by the SmartCenter.

That’s all there is to it. The NAT will take effect once you install the policies to your firewall gateway. Once you know how NAT works in CheckPoint it is pretty straight forward. This example was pretty basic by using static NAT’ing however NAT can get a bit more complicated but as they say in IT the simpler approach is usually the best!

One thought on “Checkpoint Firewall – Static Network Address Translation (NAT) How To”

  1. Ok so given a large deployment how can I show all those static NATs that have been assigned? Say you go and assign that static nat (as well as a bunch of others) and have crappy documentation and need to assign another address but want to make sure its not in use? Even on the firewall there doesnt seem to be any show commands that show ALL addresses an interface is servicing ARP for – or is there? Help!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s