Support Center > Search Results > SecureKnowledge Details
Using a "Hide behind IP address" as the translated source object Technical Level
  • After migrating from a Solaris OS to IP Series appliance running IPSO OS, Hide NAT is translating the source IP address as the physical IP address of a cluster member instead of the cluster Virtual IP, although "Hide behind IP address" as the translated source object is configured.

Using IP address as a translated source IP address may have been a workaround in past versions of Check Point.
However, the functionality is effectively the same as using Automatic Address Translation. Granlularity and selectivity for enforcing translation are taken away from the administrator and may have unintended consequences.

In complex network environments, where the administrator may need to enforce NAT between different internal and external network segments, it is highly recommended as Best Practices to explicitly define the source of the translated packet in a NAT rule.
For example, the administrator may need to create a Host object containing the cluster Virtual IP of one of the cluster interfaces, and use this as the translated source object in a NAT rule.

Check Point allows this because NAT rules, as well as security rules, use the defined objects' IP address and netmask for making Layer 3 decisions. The use of an "overlapping" IP address in this additional Host object is not a problem.

Therefore, as much as possible, we do recommend to administrators of complex systems to use Manual NAT rules over Automatic NAT rules, and to use additional Host objects in place of Security Gateways / Clusters, when hiding behind non-external interfaces.

Imported from Nokia support database

Give us Feedback
Please rate this document