Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
21222324252627282930
Chapter 3 Troubleshooting Network Address Translation Introduction
Advanced Technical Reference Guide 4.1 June 2000 22
Troubleshooting Network Address Translation
Introduction
Network Address Translation (NAT) involves replacing one IP address in a packet by another IP address. NAT
is used in two cases:
1. The network administrator wishes to conceal IP addresses in the internal networks from the Internet
2. The IP addresses of the internal network use invalid Internet addresses. That is, as far as the Internet is
concerned, these addresses belong to another network or use a private address range.
This chapter provides additional information about Address Translation that is not covered in the User Guides.
Resolving Common NAT Problems
This section lists some common problems and solution from the Check Point Technical Services
SecureKnowledge knowledge base.
Optimizing Network Performance with NAT
Access to State Tables is a major factor in the performance overhead of Network Address Translation (NAT).
By increasing the limit and hash-size of these two tables, you may be able to improve the performance of the
Address Translation– especially the “fwx_backw table,” page 150 and the “fwx_forw table,” page 150 in
“Appendix A: State Tables for VPN-1/FireWall-1 4.0,”
The value of the hash-size should be a power of 2, such that the normal number of entries in that table is usually
lower than 2*hashsize.
How to NAT (Network Address Translate) a DMZ host accessed by
external hosts without applying the NAT on the internal network
Use the following Rule Base:
No Source Destination Service Source Destination Service
1DMZ DMZ Any = = =
2 InternalNetwork InternalNetwork Any = = =
3 DMZ InternalNetwork Any = = =
4 InternalNetwork DMZ Any = = =
5 DMZ Any Any DMZ-Static = =
6 InternalNetwork Any Any InternalNetwork-Hide = =
Then the DMZ addresses will not be translated when going to the Internal Network, and translated otherwise. If
the Internal Network is not translated, you can omit rules 2,4,6.
See the SecureKnowledge Solution (ID:
36.0.1738860.2502469
) in the Check Point Technical Services site