Over the last 6 months I have been taking on a greater role with our networks at work and as such have fairly good exposure to administering CheckPoint based security devices, more specifically CheckPoint Firewall-1 NGX R65 and CheckPoint SmartCenter on SecurePlatform.
We have recently installed new Polycom HDX video conferencing units and needed to allow the internal IP’s of those video conferences to NAT through our firewall out to public IPs for external calls. The way this is achieved is through Network Address Translation (NAT) through host objects in your checkpoint database which are then applied to a Firewall-1 appliance.
How do you do this? Easy. There are two translation methods supported from a host point of view, static or hide.
Once I had determined which public IP addresses I wanted to use for each video conference, I was able to sort out the NAT for each video conference unit by:
- Create a host object for the VC (eg. BoardroomVC) and add the correct internal IP
- (optional) – add each new host to a group called ‘video conference units’, useful to group all VC’s for use in firewall rulebase
- Right-Click a host and click properties
- Click ‘NAT’ on the left hand side
- Check the box ‘Add Automatic Address Translation rules’
- Select Translation Method = Static
- Enter the public IP address you wish to NAT the internal IP of the host to an external IP
- (optional) – select which gateway this NAT will work with, otherwise leave ‘All’ selected to install to all gateways managed by the SmartCenter.
That’s all there is to it. The NAT will take effect once you install the policies to your firewall gateway. Once you know how NAT works in CheckPoint it is pretty straight forward. This example was pretty basic by using static NAT’ing however NAT can get a bit more complicated but as they say in IT the simpler approach is usually the best!