For R80.x, refer to the "Configuring the NAT Policy" section of the Security Management R80.40 Administration Guide

Defining Network Address Translation (NAT) via the network object automatically adds Rules to the Network Translation Rule Base. The Translation method can be either "Hide" or "Static".

The Global Properties section for NAT contains an option called "Automatic ARP configuration". Automatic ARP configuration ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Security Gateway. You no longer have to manually add a route on a Security Gateway to ensure proper routing of Static NAT devices. In addition, there is no longer a need for Manual ARP configuration via the$FWDIR/conf/local.arp file on the Security Gateway (details are in sk30197).
 

Configuring Hide NAT

In Hide NAT, a single public address is used to represent multiple computers on the internal network with private addresses (many-to-one relation). Hide NAT allows connections to be initiated only from the protected side of the Security Gateway that is protecting this object (Check Point, or Externally Managed Gateway or Host, Gateway node, or Host node).

Enabling Hide NAT on the network object will add the appropriate rule to the NAT Rule Base. Perform the following steps to enable Hide NAT for your internal network:

1. Login to SmartDashboard.
2. Create the network object for the internal network.
3. Define the following fields:
   
   • Name
   • Network Address
   • Net Mask
   • Comments
   • Color
4. Select the NAT tab, and enable the option "Add Automatic Address Translation rules".
5. Select the Translation method "Hide".
6. Select "Hide behind gateway". This NAT configuration hides the real address behind the IP address of the Security Gateway interface, through which the packet is routed out.
7. Click 'OK'.
8. Install the Security Policy onto the Gateway that will perform the NAT.

 

Configuring Static NAT

In Static NAT, each private address is translated to a corresponding public address (one-to-one relation). Static NAT allows machines on both sides of the Security Gateway, protecting this object (Check Point, or Externally Managed Gateway or Host, Gateway node, or Host node), to initiate connections, so that, for example, internal servers can be made available externally.

Static NAT is used for Web, e-mail, and other application servers that require routable public IP addresses. These servers will be routable to the Internet, but will also retain their internal IP addresses for internal access.

Perform the following steps to enable Static NAT for your Web or email server:

1. Login to SmartDashboard.
2. Create a Host Node object for the server.
3. Define the following fields:
   
   • Name
   • Real IP address
   • Comment
   • Color
4. Select the NAT tab, and enable "Add Automatic Address Translation rules".
5. Select the Translation method "Static".
6. Enter the desired public IP address in the "Translate to IP address" field. The Translate to IP Address value for Static NAT is a virtual IP address, which is a public (routable) IP address that does not belong to any real machine.
7. Click 'OK'.
8. Install the Security Policy onto the Gateway that will perform the NAT.

For more detailed information, refer to Firewall R77 Administration Guide