Debug NAT in Checkpoint NGX
Before VPN-1 NGX, all NAT occurred at the “server side” of the kernel, i.e., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, address spoofing and routing must be configured correctly.
As ofVPN-1 NGX, the default method for Destination NAT is “client side”,
where NAT occurs on the inbound interface closest to the client. Assume the
client is outside the Gateway, and the server is inside the Gateway with
automatic Static NAT configured. When the client starts a connection to access
the server’s NAT IP address, the following happens to the original packet in a
client-side NAT:
ORIGINAL PACKET
1. The packet arrives at the inbound interface, and passes Security Policy
rules.
2. If accepted, the packet is entered into the connections table.
3. The packet is matched against NAT rules for the destination. The packet is
translated if a match is found.
4. The packet arrives at the TCP/IP stack of the NGX Gateway, and is routed
to the outbound interface.
The packet is translated, so it is routed correctly without any need
to add a static route to the Gateway.
5. The packet goes through the outbound interface, and is matched against
NAT rules for the source.
6. NAT takes place, if a match is found for translating the source.
7. The packet leaves the Security Gateway.
REPLY PACKET
1. The reply packet arrives at the inbound interface of the Gateway.
2. The packet is passed by the Policy, since it is found in the connections table.
3. The packet’s destination, which is the source of the original packet, is
translated according to NAT information in the tables.
4. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
outbound interface.
5. The packet goes through the outbound interface. The packet’s source, the
destination of the original packet, is translated according to the information
in the NAT tables.
6. The packet leaves the Gateway.