FAQ0021: How can I setup statically NAT ?

 

Statically NAT is for publishing and internal server with a invalid IP address (image by Check Point).

 

 

Statically NAT for V4.1 and earlier

 

The steps for defining statically NAT are the following:

  1. Create a workstation object for your internal "mailsrvr" with the IP address 10.0.0.1.

  2. Create a workstation object which represents the "mailsrvr" from the outside. This IP address must be an official one, let's say the object is "valid_mailsrvr" with the IP address 199.203.73.245

  3. Add the "valid_mailsrvr" object to the anti spoofing configuration of the internal NIC, the reason for that you see on FAQ0011. For testing purposes disable anti spoofing (set to any).

  4. Add the NAT rules, you find the "Address Translation" tab Security Policy editor. The rule should look like:

  5. Now create a rule which allows the communication from/to the created mail server object.

  6. Verify and install the security policy now.

  7. Add a route that the valid IP address is routed through the firewall, this is necessary because NAT is the last process in the firewall procedure.
    UNIX: route add 199.203.73.245 10.0.0.1 1
    NT: route add -p 193.203.73.245 10.0.0.1
    Additionally make sure that the UNIX route is not lost after a reboot, put it to rc2.d with S99addroute.
    This routing works only this way when the two networks are directly connected to the firewall, otherwise you have to define the router NIC instead of the internal mail server.

  8. Define an ARP entry for the valid IP address. This is necessary that the external NIC is answering to the requests for "valid_mailsrvr". Take the MAC address of the external NIC.
    UNIX: arp -s 199.203.73.245 00:A0:24:52:9B:19 pub
    NT: Create a file called local.arp in the $FWDIR/state directory, make an entry like 199.203.73.245   00:A0:24:52:9B:19

  9. Stop and start the firewall service

 

Statically NAT for NG

With NG everything changed a bit, you don't need to publish ARPs, adding routes or adding hosts for anti spoofing configuration, at least for Windows NT/2K and Solaris, Linux looks a bit different.

  1. Enable the automatic NAT rules in the firewall global properties screen.

  2. Define the object you want to translate with the invalid IP address

  3. Change to the NAT tab and define the IP address which should be published at the external interface of the firewall system.

  4. Have a look at the address translation

  5. Add the rules for the mail server traffic

  6. Install the security policy

Windows NT / Windows 2000 strangenesses

I may be that the above description does not work with Windows NT / 2K, the reason therefore is the "routing and remote access" service you installed. Disable this service and add the following flag with the regedit instead:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentContralSet\Services\Tcpip\Parameters

IPEnableRouter set to 1

Reboot the machine, it's Windows, you have to! I even had on one firewall system once the case that this work around did not work too.

 

Linux strangenesses

With Linux the above description also not works, there you need to add a host route as you have done it in earlier days.

route add -host 199.203.73.245 gw 10.0.0.1

See for more information about adding route on Linux FAQ0209.

Last modification: 08.07.2004 13:03:21

Present version was: VPN-1/FireWall-1 NG FP2