Hi Sascha, When you NAT, it only NAT's from the internal networks to the External networks and or manually defined NAT rules, DMZ included if you specify it that way. But if your asking if your internal network is NAT'd to your DMZ network by default, the answer is no. NAT'ing only occurs if you manually create a NAT rule, or if its destined for the external network.
My network is exactly the way you described and I actually hide-nat my internal network to a different IP than the FW itself. This just keeps people that want to attempt to examine the device traffic is coming from hitting a blank wall rather than the FW itself. I have all my DMZ items NAT'd Internal to External 1 to 1 as well. -Lyle -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Picchiantano Sent: Tuesday, March 29, 2005 10:32 AM To: [email protected] Subject: [FW-1] Basic NAT question Hi, NAT has always confused me and probably will always do. So please have some patience with me :) Question. Say you have a very common network topology: Internal, DMZ, External (Internet). You use an automatic HideNAT rule to hide your internal network behind the external gateway IP address. This will create two rules, one saying that internal talking to internal will not be natted while internal to any will be natted. Does that mean my traffic to the DMZ is also natted? (because the automatic rule created source:internal, destination:any ->NAT(H))? If that's true, automatic NAT means a lot of work eventually because you have to explicitly turn off natting between the segments that you don't want natted. Does that make any sense? :) What is everyone using here? Manual or automatic NAT? Thanks Sascha ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
