Checkpoint NAT


I have an External IP address provided by my ISP who NAT's to there own internal range i.e. - I am looking to hit an Internal server on my INternal network i.e from the Internet.

I can see traffic hitting my firewall as the destination of
any ideas how to get this working ?
Who is Participating?
deimarkConnect With a Mentor Commented:
OK, I will give an example on how I would do this and use fictitios IPs here, and we will then be able to transfer that onto your set up.

Set up will be as follows:

WWW  <->   ISP Router  <-->  CP Firewall  <-->  LAN


ISP Router inside IP
CP FW External IP

Web Server

The ISP only has 1 public IP of and will NAT all outgoing connections from the CP FW to
The ISP will also NAT all incoming traffic for to the CP FW and maintain the incoming port.  ie traffic to is sent to

So, for us to NAT the incoming traffic on port 80 to the web server, we can do it one of 2 ways.

1.  Automatic static NAT
2.  Manual dest nat rules


1.  To action this we must ensure that the ISP is definitely maintaining the destination port of 80!!!  Also, as this is a private range, we should be able to get more IPs from the ISP, this is key to making this work.

So, in this example, we get as extra IPs.  We will ask the ISP to transfer all port 80 traffic that comes into and translate to

The ISP will recieve traffic for and forward onto

On the CP FW, create a host object with IP of and add a static NAT of

This automatic nat will create 2 nat rules that will do what we need, ie translate all incoming traffic for to the web server, and all outgoing traffic from the web server will be translated to

Option 2

If we cannot get any other IPs from teh ISP, we are left with the manual rule creation here.

In this case, the ISP will send all traffic for (no matter the port) to the CP FW of

We can then create destination nat rule manually as follows:

Untranslated packet                                                           Translated packet
Src <Public>  Dst (CP FW) Service 80                Src unchanged    Dst Service unchanged

This will ensure that all traffic that hits the firewall on port 80 is then translated to the web server and forwarded on.  As this is dest nat, no other rules are needed and only applies to incoming traffic.

Of course, the easiest and best way ahead is to get your ISP to give you public addresses and allow you to manage all your own NAT and connections, but I know that some ISPs can get anal and very unhelpful in this respect.

Does this make any more sense to you?
Should be doable here bud.

I see that you have as your external interface on the firewall and that the ISP is natting through to your firewall.

DO you have a requirement to have a static one to one nat, ie you want to have a unique IP address assigned to the internal server on both the public ISP side and the external side 10.15.21.x ?

or do you just want to nat the incoming connections on specific ports to the internal server?  In CP parlance, do you want to have full static nat for inbound and outbound connection or do you just want to apply destination nat, ie traffic to on port 24 (which is natted to your firewall on port 25) is then natted to get sent to the internal server on port 25?

As you do not manage the ISP upstream router for the nat, it may be prudent to do the dest nat where we can create manual nat rules to translate traffic  for specfic ports onto the internal server.

Let me know the version of your CP install and I can attach the nat guide which will help you achieve what you want.
skywalker101Author Commented:
CP Version NGX R65 on Nokia

I was looking to do a one-one Static NAT for inbound and outbound connections. Although after you reviewing your comments above maybe the best option would be destination NAT ?

I want to NAT connections on http to straight through to the Internal webserver
Public ISP NAT >>>>Internal Server port http
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Hiya bud

I have attached the firewall admin guide which goes into more detail re the differences in NATs and their common usages.

In short though, if the only connections that you want to NAT are "TO" the internal server, then dest nat is for you.  If you want to have all outgoing connection from the internal server being natted using the SAME address as the incoming nat, then static nat is the one you want.

Hope this makes it a lil clearer for you.
Sorry, just to add as well, for your web sever, if you dont want to initiate connections from the web server to the internet, or dont care what the connections from the web server to the internet are natted behind, then dest nat is fine for that
skywalker101Author Commented:

Just want to initiate from the Internet - Web Server not concerned about the web server to internet.  Had a look at the attached doc and there seesm to be two types of NAT. I am not sure how to do the Dest NAT is ths a flavour of Static NAT ?

1.Static (Static NAT translates each private address to a corresponding public address)
2.Hide (Hide NAT allows only connections that originate on the internal network)
If you have the extra IPs available, then just use the static NAT option and tell the ISP to forward all port 80 traffic to the static nat address you use on the web server object.

Dest nat can be a bit fiddly on occasion is a manual rule creation.
skywalker101Author Commented:
My ISP will only NAT to there own internal range i.e. 10.15.21.x and I currently do not have any extra IP addresses to play with.
Currently I have configured my external Int configured as which accepts the traffic on the ISP Nat'd address.

I think the only option is dest nat, when say manual nat is on the Nat tab within the smart dashboard rather than on the network obj ?

Have you any pointers in configuring this type of nat i.e. Orginal packet source dest
skywalker101Author Commented:

I have got the Static NAT working, what I want to do is to NAT from any external address to the Internal Web Server. currently I cam only get it working in a 1-1

Orginal Packet                            Translated Packet
Source      Destination             Source                Destination
public IP 
Are the rules you mention above created due to the automatic process or are they created manuallt?

Normally, I would say that the translated packet whould have an untranslated source, ie it would keep the external IP of the client the same and not apply any translation.

Normally, the automatic nat rules created when we use static nat are sufficient here, so keen to find out why there is a translation on the source address from the internet
skywalker101Author Commented:
THe rules added were manual as this was the only way I could get it working, when I removed the source for the untranslated it work not work.
also when I removed the source from the untrans packet I had to move the source from translation packet for the policy to install.
skywalker101Author Commented:
I got it working after running a packet capture on the webserver there was no route back to the source
Aha, that makes sense then. :P

Glad to hear its working now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.