FireWall-1 FAQ: How NAT Works in FireWall-1 NG
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
NAT has changed quite a bit since FireWall-1 4.1. In 4.1 and earlier releases, NAT happened on the server side, meaning that a packet enters the firewall, passes the inbound anti-spoofing and rule checks, gets routed, passes the outbound anti-spoofing and rule checks, then gets subject to NAT. The affect of this is that you must have a proxy-arp for each NAT address and a static route for each destination static NAT address.
In NG, NAT happens on the client side if the appropriate property is enabled and automatic NAT rules are in use. This means a static route isn't necessary. Proxy-arps can also be handled by FireWall-1 automatically. Both properties to enable these features are in the Global Properties, NAT frame. If you prefer manual NAT rules, an objects.C property called 'nat_dst_client_side_manual' is supposed to allow client-side NAT with manual rules. In dbedit, enter the following commands:
modify properties firewall_properties nat_dst_client_side_manual true update properties firewall_properties
Reload the security policy.
Check Point did not make a GUI for this prior to FP3 because it doesn't work well for dual NAT situations (changing both source and destination IP). In NG FP3, it works correctly and there is a GUI entry for this property in the same place as the others.