Thursday, January 27, 2011

Checkpoint UTM Firewall Clusters Part 4 - NoNAT Rules

   Cisco ASA administrators will be well familiar with noNAT rules... those NAT ACLs listed under NAT 0. It's a similar configuration for the Checkpoint. Using the network groups I created in part 2 of this series,
Checkpoint UTM Firewall Clusters Part 2: Anti-Spoofing

One can create individual NoNAT rules like so:

To prevent NATing between the corp_net (192.168.6.0/23) and the DMZ, you can create a pair of rules (make sure they are above your implied rules!):








Of course, you might want to avoid any NATing between internal VLANs/subnets. Using our previously created simple group, inside_networks (it contains corpnet, eng_net, qa_net, and router net):






That should do it.

No comments: