Support, Support Requests, Training, Documentation, and Knowledge ... https://supportcenter.checkpoint.com/supportcenter/portal/media-type/...

Solution ID: sk27396 2/3/2015

Defining Hide NAT

Product: Security Gateway

Version: All
Last Modified: 20-ago-2014

Solution

Hide NAT allows Security Administrators to conceal multiple private IP addresses

behind a single public IP address. Most networks have multiple private IP
addresses that cannot send traffic directly to other hosts on the Internet,
because they do not have publicly routable IP addresses. Using Hide Network
Address Translation (NAT), ALL privately addressed hosts share a single public
IP address when they route traffic on the Internet.

There are two kinds of Hide IP addresses: a virtual address or the IP address of
the VPN-1/FireWall-1 interface leading to the Internet. The "virtual" address is
an address separate from the VPN-1/FireWall-1 Security Gateway configuration,
and must be routable on the Internet. When Administrators use the leading
interface of the VPN-1/FireWall-1 Gateway as the Hide NAT address, no
additional IP address is necessary. The VPN-1/FireWall-1 interface hides all
internal hosts and traffic from the hosts appearing to emanate from the
Gateway.

Hide NAT Example:

Two privately addressed hosts, 10.1.1.1 and 10.1.1.2, are accessing Web sites
on the Internet. As each HTTP request exits the Gateway, both show a source
address of the Gateway: 172.21.101.1. Although the traffic seems to
emanate from the same source, the HTTP requests are processed by the
Gateway on different ports.

VPN-1/FireWall-1 remembers the ports associated with the requests. When the
reply is returned from the Web site on the Internet, the VPN-1/FireWall-1
Gateway can translate the reply packets to the private IP addresses, based on
the port associated with the reply.

Internal Host Request to External Host:

Source Port Destination >>> GATEWAY >>> Source Port Destination
10.1.1.1 15,252 x.x.x.x >NAT> 172.21.101.1 17,290 x.x.x.x

Source Destination Port <<< GATEWAY <<< Source Destination Port

x.x.x.x 10.1.1.1 15,252 <NAT< x.x.x.x 172.21.101.1 17,290

When it performs Hide NAT, the VPN-1/FireWall-1 Gateway dynamically assigns

all port numbers from one of two pools:

-600 to 1023
or
-10,000 to 60,000

VPN-1/Firewall-1 tracks the port number changes, and uses the port numbers to
determine how to translate the reply packets sent to the Hide NAT address.
Although port numbers are constantly being assigned to exiting
packets, no source port number can be used by more than one
connection at a time. The limit to the number of simultaneous Hide NAT
connections is 50,000 internal requests to the same external server.

1 di 1 03/02/2015 15:34