Difference Between Object Based NAT and Table Based NAT in Checkpoint

This article discusses about the difference between the 2 type of NAT which can be configured in the checkpoint firewall. NAT is a idea of translating  IP address in the IP packet and mainly used to provide communication between Private network to Public network.

This NAT can be configured in so many devices i.e. router, firewall, etc. And configuration of NAT is one of the simplest process especially in Checkpoint firewall. And the NAT can be configured in 2 difference methods.

  1. Object Based
  2. Table Based

 

  1. Object Based
    1. Create a node or network object in the checkpoint firewall
    2. open the object and check the option “Add automatic Translation”
    3. save the object
    4. Then a NAT rule will automatically implemented in the for the above object
    5. Install the policy

That’s it. Now that private network or host of the object can communicate to the public network

2. Table Based

  1. Go to NAT policy tab
  2. Create a new policy in NAT
  3. Add the network or host object as the source in the original packet section
  4. Create a new host object for the IP address of the External interface of the checkpoint firewall
  5. Now add the above mentioned object as the source in the translated packet section
  6. And when it is added, select Hide mode to update the object
  7. Install the policy

That’s it. Now that private network or host of the object can communicate to the public network

But there is a difference. If we enable NAT on the object, then it is not possible to mention the service separately. that obviously means that the node or the network of the object can communicate any service to any host of the public network. And the NAT rule implemented for the object can not be modified in the table

If we enable NAT by creating rule, manually in the NAT table, then it is possible to set the destination object  in the destination column and also the service object in the service column. And that rule can be modified at any time in the table. So we can decide which host can communicate which destination for which service.

Leave a Reply