Hi Sascha Some people prefer to only use manual nat, for more or less the reasons you are describing below. It does allow much finer grained control. Personally I use a mix, depending on what I'm trying to achieve.
What I do with automatic NAT is configure it, but then have a rule at the top of my NAT rulebase that looks something like: Source: Internal + DMZ networks -> Destination: Internal + DMZ networks -> translate to source original, destination original. That way the auto nat rule is fine for stuff leaving your network, but won't apply for stuff between internal and DMZ networks. - Lindsay -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Picchiantano Sent: Wednesday, 30 March 2005 6:32 a.m. To: [email protected] Subject: [FW-1] Basic NAT question Hi, NAT has always confused me and probably will always do. So please have some patience with me :) Question. Say you have a very common network topology: Internal, DMZ, External (Internet). You use an automatic HideNAT rule to hide your internal network behind the external gateway IP address. This will create two rules, one saying that internal talking to internal will not be natted while internal to any will be natted. Does that mean my traffic to the DMZ is also natted? (because the automatic rule created source:internal, destination:any ->NAT(H))? If that's true, automatic NAT means a lot of work eventually because you have to explicitly turn off natting between the segments that you don't want natted. Does that make any sense? :) What is everyone using here? Manual or automatic NAT? Thanks Sascha ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ----------------------------------------------------------------------------------------------- Have you seen our website?.... http://www.vodafone.co.nz Manage Your Account, check your Vodafone Mail and send web2TXT online: http://www.vodafone.co.nz/myvodafone CAUTION: This correspondence is confidential and intended for the named recipient(s) only. If you are not the named recipient and receive this correspondence in error, you must not copy, distribute or take any action in reliance on it and you should delete it from your system and notify the sender immediately. Thank you. Unless otherwise stated, any views or opinions expressed are solely those of the author and do not represent those of Vodafone New Zealand Limited. Vodafone New Zealand Limited 20 Viaduct Harbour Avenue, Private Bag 92161, Auckland 1030 Telephone + 64 9 355 2000 Facsimile + 64 9 355 2001 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
