Welcome to Lesson 8. The lesson is very important, because upon its completion, you will already be able to set up Internet access for your users! I must admit that many people finish the setup on this π But we are not one of them! And we still have a lot of interesting things ahead. And now to the topic of our lesson.
As you probably guessed, today we will talk about NAT. I am sure that everyone who watches this lesson knows what NAT is. Therefore, we will not describe in detail how it works. I will only repeat once again that NAT is an address translation technology that was invented in order to save βwhiteβ, i.e. public ip-shnikov (those addresses that are routed on the Internet).
In the previous lesson, you probably already noticed that NAT is part of the Access Control policy. This is very logical. In SmartConsole, NAT settings are moved to a separate tab. We will definitely look there today. In general, in this lesson we will discuss types of NAT, configure Internet access and look at the classic example of port forwarding. Those. the functionality that is most often used in companies. Let's get started.
Two ways to set up NAT
Check Point supports two ways to configure NAT: Automatic NAT ΠΈ Manual NAT. Moreover, for each of these methods, there are two types of translation: Hide NAT ΠΈ Static NAT. In general, it looks like this picture:
I understand that most likely now everything looks very complicated, so let's look at each type in a little more detail.
Automatic NAT
This is the fastest and easiest way. NAT setup is done in just two clicks. All you need to do is open the properties of the desired object (be it gateway, network, host, etc.), go to the NAT tab and check the box βAdd automatic address translation rules". Here you will just see the field - the translation method. There are two of them, as mentioned above.
1. Aitomatic Hide NAT
By default, this is Hide. Those. in this case, our network will βhideβ behind some public ip-address. In this case, the address can be taken from the external interface of the gateway, or you can specify some other one. This type of NAT is often referred to as dynamic or many-to-one, because several internal addresses are translated into one external. Naturally, this is possible due to the use of different ports during translation. Hide NAT only works in one direction (from inside to outside) and is ideal for local area networks when you just need to provide access to the Internet. If traffic is initiated from an external network, then NAT will naturally not work. It turns out, as it were, additional protection of internal networks.
2. Automatic Static NAT
Hide NAT is good for everyone, but perhaps you need to provide access from the external network to some internal server. For example, to a DMZ server, as in our example. In this case, Static NAT can help us. It is also quite easy to set up. It is enough to change the translation method to Static in the object properties and specify the public IP address that will be used for NAT (see the picture above). Those. if someone from the external network accesses this address (on any port!), then the request will be transferred to the server with an already internal ip-shnik. At the same time, if the server itself goes online, then its ip address will also change to the address we specified. Those. it is NAT in both directions. It is also called one-to-one and sometimes used for public servers. Why "sometimes"? Because it has one big drawback - the public ip address is fully occupied (all ports). You cannot use one public address for different internal servers (with different ports). For example HTTP, FTP, SSH, SMTP, etc. Manual NAT can solve this problem.
Manual NAT
The peculiarity of Manual NAT is that you need to create translation rules yourself. In the same NAT tab in the Access Control Policy. At the same time, Manual NAT allows you to create more complex translation rules. The following fields are available to you: Original Source, Original Destination, Original Services, Translated Source, Translated Destination, Translated Services.
Two types of NAT are also possible here - Hide and Static.
1.Manual Hide NAT
Hide NAT in this case can be used in different situations. A couple of examples:
- When accessing a particular resource from the local network, you want to use a different address for translation (different from the one used for all other cases).
- The local network has a huge number of computers. Automatic Hide NAT will not work here, because. with this setting, it is possible to set only one public IP address, behind which computers will βhideβ. Ports for broadcasting may simply not be enough. As you remember, there are a little more than 65 thousand of them. In addition, each computer can generate hundreds of sessions. Manual Hide NAT allows you to set a pool of public ip addresses in the Translated Source field. Thereby increasing the number of possible NAT translations.
2.Manual Static NAT
Static NAT is used much more often when manually creating translation rules. A classic example is port forwarding. The case when a public IP address (which may belong to a gateway) is accessed from an external network on a specific port and the request is translated to an internal resource. In our lab, we will forward port 80 to the DMZ server.
Video tutorial
Stay tuned for more and join us : )
Source: habr.com