You are a Security Administrator configuring Static NAT on an internal host-node
object. You clear the box "Translate destination on client side", accessed from
Global Properties > NAT settings > Automatic NAT. 350-001 Assuming all other Global
Properties NAT settings are selected, what else must be configured for automatic
Static NAT to work?
A. The NAT IP address must be added to the anti-spoofing group of the external
Gateway interface
B. Two address-translation rules in the Rule Base
Leading the way in IT testing and certification tools, www.certifyme.com
- 43 -
C. No extra configuring needed
D. A proxy ARP entry, to ensure packets destined for the public IP address will reach the
Security Gateway's external interface
E. A static route, to ensure packets destined for the public NAT IP address will reach the
Gateway's internal interface
Answer: E
Explanation:
if you clear the box "Translate destination on client side" the nat will be performed on the
internal interface side of your firewall, rather than the external interface and packets will
not get to the firewalls internal interface as the routing on the firewall would send packets
bound for public IP to the external interface.640-802 So you need to add a static route to point the
nat rules public ip to the internal interface of the firewall so that the nat can be
performed.
From ChechkPoint Online Help:
Translate destination on client side applies to packets originating at the client, with the
server as its destination.VCP-310 Static NAT for the server is performed on the client side.
In Check Point Gateways prior to version NG, Static NAT for the server ("Static
Destination Mode NAT") was performed on the server side of the gateway, which
required special handling for anti-spoofing and internal routing.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment