Check Point R75 Creating Rules NAT and PAT

In this tutorial we will look at creating a simple rulebase from a fresh install of Check Point R75. We will create a basic rule that will allow the internal network access to all services outbound and also enable NAT to hide behind the external IP address of the firewall. Following this rule we will create another rule that will PAT remote desktop 3389 from the external interface ip to my Windows 2008 server called server2k8. The lab is setup as follows:


Check Point

Creating NAT and PAT Rules with Check Point R75

1. Open up the Check Point SmartDashboard and login to your firewall management station.

Check Point
2. First up we’ll be creating a network object that will represent the internal network subnet. Right click on the Network Folder and select Network.

Check Point
3. Type in a Name, the network address and subnet mask. For the colours of object I like to use red for external, green for internal and orange for dmz. If you expand the colours and click manage you can add in red and green.

Check Point
4. Add in red and green.

Check Point
5. For my internal lan i’ve selected green.

Check Point
6. Now we’ll click on the NAT tab and tick the Add Automatic Address Translation rules, select Hide, and select Hide behind Gateway. This will hide the internal network subnet behind the external interface of the gateway. If you are using a dmz interface, it will also NAT behing the DMZ interface.

Check Point
7. Now that we’ve created an object lets create a few rules. Click on the Rules Menu and select Add Rule.

Check Point
8. Under the source column where it says Any, right click and select Network Object. As you can see we can also add a User or other objects as the source.

Check Point
9. Select Internal-Lan as our source.

Check Point
10. Under the Action column, right click and select accept.

Check Point
11. Under the Track column select Log so we can see the traffic passing through.

Check Point
12. Right click in under the comment column and select edit. You can type any comment you like to help remember what the rule is for.

Check Point
13. Now add in another rule which must always be at the bottom. This rule will drop packet that does not match a rule and also log it. The Check Point rules are always process from top to bottom.

Check Point
14. To help organise our Check Point Rule Base a little better we can add in section titles. Right click on the rule where you would like to add a section title above and select Add Section title – Above.

Check Point
15. As you can see I’ve added two section titles to my Check Point Rule Base which makes it is much easier to organize rules.

Check Point
16. If we click on the NAT tab we can see that the NAT we added earlier in step 6 has been automatically added to the NAT rule base for Internal-Lan.

Check Point
17. Lets add a resource for a single server. Right click on Nodes and select Node – Host.

Check Point
18. enter in the Name, IP address and an optional comment. I’ve select green colour for internal objects. Click Ok.

Check Point
19. I’ll create another object that will represent the PAT’d ip address that i’ll be using to remote desktop from the internet to my internal host.

Check Point
20. Now let’s create a PAT rule. Under the NAT tab click on the Rules menu and add a new rule at the top.

Check Point
21. Lets add a destination ofr External-192-168-1-2, service Remote_Desktop under the Original Packet column. Under the Translated Packet column lets add server2k8 for destination and Remote_Desktop for service. So any ip that tries to use Remote Desktop to 192.168.1.2 will get translated to our internal host server2k8 192.168.10.10 for Remote_Desktop 3389.

Check Point
22. After creating the PAT rule we now need to create the firewall rule. Click on the firewall tab, add a new section title of External-Internal and make the destination External-192-168-1-2, service Remote_Desktop, Action Accept, and Track Log.

Check Point
23. Click on the box that says Verify Policies. Your Check Point Rule Base will be checked for any errors or misconfiguration before applying.

Check Point
24. Click Ok.

Check Point
25. Click Save and continue.

Check Point
26. Click Ok.

Check Point
27. Policy Verification is Ok. Click Ok.

Check Point
28. Now it’s time to Install our policy. Click Install Policy.

Check Point
29. Click Ok.

Check Point
30. The policy was install successfully. Click Close.

Check Point
31. Click on the Window menu and select SmartView Tracker.

Check Point
32. The Check Point SmartView Tracker is where all the logging happens. To demonstrate accessing a webpage from my server2k8 server I simply browsed to www.google.com.au which produced the following logs.

Check Point
33. You can double click on a log entry and display more information.

Check Point
34. Now let’s try our remote desktop rule. I will remote desktop from a pc out on the internet to 192.168.1.2.

Check Point
35. As you can see in the log the packet is allowed and I can connect via remote desktop to the server.

Check Point
Disclaimer:
All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.

1 Comment

Leave a Reply

Your email address will not be published.


*


*

This site uses Akismet to reduce spam. Learn how your comment data is processed.