Also note that the order of the NAT rules will affect how things work out.
As a typical practice, you would put 'no NAT' rules at the beginning,
followed by 'static NAT' rules, then have the 'hide all' NAT rules at the
bottom.
Example:
--- src=inside-group dst=dmz-group nat-src=original nat-dst=original
--- src=any dst=dmz-web-server-public-ip nat-src=original
nat-dst=dmz-web-server-private-ip
--- src=inside-group dst=any nat-src=hide-public-ip nat-dst=original
Typically, only a few 'no nat' rules and 'hide all' rules would satisfy
most complicated network topology. The real lengthy NAT rules would be for
all your static NAT requirement.
Checkpoint NAT config is very cool, particularly when you look at how NAT
would be configured in Cisco IOS.
-raymond
At 10:22 AM 3/30/05 +0200, you wrote:
>Sascha,
>
>you could make it a bit simpler by puting all your internal nets in a
group (i.e. Internal_nets) and make 1 manual NAT-rules instead of 2 dozen
use the group.
>Looking like this:
>
>OP-src OP-dst OP-srv TP-src TP-dst TP-srv
>Internal_nets DMZ Any Original Original
Original
>
>
>Dion
>
>> -----Oorspronkelijk bericht-----
>> Van: Mailing list for discussion of Firewall-1
>> [mailto:[EMAIL PROTECTED] Sascha
>> Picchiantano
>> Verzonden: woensdag 30 maart 2005 6:40
>> Aan: [email protected]
>> Onderwerp: Re: [FW-1] Basic NAT question
>>
>>
>> Hi,
>>
>> ok thanks everyone. That is exactly what I expected and I
>> basically hate
>> it. Because in reality, networks are not that simple. On this
>> occasion,
>> there are about two dozen internal networks that all need to be NATed
>> against the outside, but not NAT against the DMZ. So besides the two
>> dozen automatic NAT rules I now have to add two dozen manual NAT rules
>> to prevent NATting to the DMZ. Wow, how automatic can this be? No day
>> passes without wondering about Checkpoint terminology :-)
>>
>> Ok, to add some more pepper into the mix, what happens if I
>> do need some
>> additional NAT rules, say static ones. As a general rule of
>> thumb, can I
>> say that NAT rules are also processed top to bottom? Or doesn't it
>> matter where I put the rules in the rule base?
>>
>> Thanks for all your input! Appreciate it!
>>
>> Sascha
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to [EMAIL PROTECTED]
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> [EMAIL PROTECTED]
>> =================================================
>>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
