TTechclick All lessons
Check Point · NAT & Translation · NAT Rule BaseInteractive · L1 / L2

Check Point NAT — Auto vs Manual, Hide vs Static, and the Proxy-ARP Trap

Static NAT created, server pings, but the world can't reach it. Why? Because Check Point's NAT rule base has 5 ordered tiers, anti-spoofing runs before NAT, and Manual NAT in the gateway subnet silently needs a Proxy-ARP entry that doesn't auto-create. Pick a NAT type, watch the packet header transform live, master it in 12 minutes.

📅 2026-05-26 · ⏱ 12 min · 2 animated tracers + 8 flip cards · 🏷 10-Q assessment + AI Tutor inline

Pick a NAT type — jump straight to it

1

Hide NAT (PAT)

Many private IPs → one public IP. Outbound only. The default rule on 80% of corporate networks.

 2

Static NAT

1:1 bidirectional mapping. Publish a server. Bring incoming traffic to it.

 3

Rule Base Order

5-tier evaluation order. Auto wins over Manual. The CCSA exam loves this.

 4

Troubleshoot

Proxy-ARP traps · anti-spoofing pre-NAT · fw monitor stages · NAT-in-VPN.

The one rule that confuses every L1 candidate

Interview question: "Static NAT for the web server is configured. It pings from inside. Internet users can't reach it. Why?"
Wrong answers Ram has heard: "Firewall rule missing." "DNS not resolved." "ISP blocking 443." Sometimes one of those is true — but 9 out of 10 times the real cause is one of these three: missing Proxy-ARP entry, anti-spoofing rejecting pre-NAT IP, or rule-base order putting a manual hide rule in front of the static. Knowing which one in 30 seconds is what separates L1 from L2.

💡 The hotel front-desk analogy (the only mental model you need)

A 200-room Lucknow hotel has one phone number printed on Google. Guests in 200 rooms can all dial out — the front desk rewrites caller-ID to the hotel's main line and keeps a register: "Mr Sharma's call from Room 142 just placed → I'll route the reply back to Room 142". That's Hide NAT. Many to one. Outbound only. The world can't dial INTO a specific room.

Now imagine the same hotel publishes a dedicated counter for VIPs: "Counter 7, Mr Sharma". The counter has its own listed number. Anyone outside can dial Counter 7 directly and reach Mr Sharma. Mr Sharma can dial out from Counter 7 too. That's Static NAT. One to one. Both directions. Useful for publishing servers.

3 things you'll be tested on before we begin

Automatic NAT
tap to flip

Generated by SmartConsole from the NAT tab of an Object (Host / Network / Range). One checkbox → 1 or 2 rules in the NAT Rule Base, plus auto-Proxy-ARP, plus auto-route hint. Static creates 2 rules; Hide creates 1.

Manual NAT
tap to flip

Hand-written rule: Original Src / Dst / Svc → Translated Src / Dst / Svc. Used for any-to-any, port translation, dual-NAT, and VPN exceptions. First match wins. Proxy-ARP is NOT auto-created (unless you set a global flag — sk114395).

📞
Hide NAT
tap to flip

Many → one (PAT). Source port re-mapped to track sessions. Inbound new connections are BLOCKED — only return traffic of a flow the inside host started. Protocols: TCP / UDP / ICMP only.

🎯
Static NAT
tap to flip

1:1 bidirectional. Outside hosts CAN initiate to the translated IP — publishing servers. Works with TCP, UDP, ICMP, IPsec, GRE, IGMP. Symmetric translation.

Auto vs Manual NAT decision tree Decision diamond — do you need port translation, dual-NAT, or any-to-any? Yes leads to Manual NAT; no leads to Automatic NAT. Auto vs Manual NAT — which do you need? Need to NAT?Start here Port translation OR dual-NAT OR any-to-any? YES Manual NAT first-match · tier 5 NO Automatic NAT tiers 1-4 · auto Proxy-ARP Both can coexist. Auto evaluates BEFORE Manual. Convert auto → manual if you need explicit order control.
Figure 1 — Auto vs Manual NAT. Default to Automatic for simplicity. Switch to Manual when you need port translation or explicit rule order.

① Hide NAT — the rule every corporate network ships by default

500 laptops at Wipro share one ISP link with the public IP 203.0.113.5. Every outbound HTTPS/DNS/SMTP session gets PAT'd through that one IP. The firewall keeps a stateful table mapping (internal-IP, internal-port) → (203.0.113.5, rewritten-port). When Google replies to 203.0.113.5:62117, the firewall looks up the table and ships the reply back to Sneha's laptop on its original port.

To enable: open the Network object for 10.20.5.0/24 → NAT tab → tick "Add Automatic Address Translation rules" → Translation Method = Hide → Hide behind the Gateway's external IP (or a specific IP). Install Policy. Done.

What you can't do with Hide NAT

You can't publish a server. Hide NAT is one-way only — outbound flows initiate; inbound new connections die at the firewall. For that you need Static NAT (next section). And don't try to Hide-NAT IPsec or GRE — Hide only works for TCP/UDP/ICMP. For protocol pass-through use Static or IP Pool NAT.

▶ Watch a Hide-NAT'd packet leave the firewall

Sneha at Wipro browses Google. Source port re-mapped, source IP becomes the firewall's external IP. Press Play.

① INGRESS 10.20.5.50:512348.8.8.8:443
From Sneha's laptop on the LAN interface.
② ANTI-SPOOFING Source 10.20.5.50 is checked against the interface topology. LAN interface lists 10.20.5.0/24 → match. Pass.
③ POLICY MATCH Rule "Allow LAN to Internet" matches src=LAN, dst=Internet, svc=HTTPS → Accept.
④ NAT RULE MATCH Auto Hide NAT rule for 10.20.5.0/24 matches. Translation: source → 203.0.113.5, source port → re-mapped from PAT pool.
⑤ TRANSLATE & EGRESS 203.0.113.5:621178.8.8.8:443
Google sees only the firewall's IP. Reply will come to the same (IP, port) and the NAT table will route it back to Sneha.
Press Play to watch the Hide-NAT trace. Each press of Next advances one stage.
Quick check · Q1 of 10

Rahul at TCS configures Hide NAT for the LAN. The CFO opens a ticket: "External vendor can't connect to my desktop's RDP from home". What's the fundamental issue?

Correct: c. Hide NAT is unidirectional — outbound flows initiate, return traffic is allowed. New inbound connections have no entry in the NAT table to match → silently dropped. Fix: Static NAT for the CFO's desktop (publish it as a public IP) OR push him through a VPN. Best practice: VPN — don't publish an internal user's RDP directly.

② Static NAT — publishing a server, with the proxy-ARP catch

Static NAT maps one private IP to one public IP, both directions. When you configure it via the object's NAT tab, SmartConsole creates two auto-NAT rules:

  1. Outbound: internal → external rewrites source 10.50.5.10203.0.113.10
  2. Inbound: external → internal rewrites destination 203.0.113.1010.50.5.10

For inbound traffic to actually arrive, the upstream ISP router must believe the gateway "owns" 203.0.113.10. That's where Proxy-ARP comes in. With Automatic NAT, Proxy-ARP auto-installs when (a) the global Auto-ARP flag is enabled AND (b) the translated IP is in the same subnet as a gateway interface. Skip either and traffic vanishes.

Common mistake — Manual NAT in the gateway subnet without Proxy-ARP

You wrote a Manual NAT rule for a Static publish. The translated IP 203.0.113.10 is in the same subnet as the gateway's external interface 203.0.113.1. Without a Proxy-ARP entry, the upstream router ARPs for .10, gets no reply, traffic black-holes. Auto-NAT would have handled this; Manual NAT will NOT unless you set the global flag from sk114395 or manually add the ARP.

The Proxy-ARP fix (CLI, in Gaia)

clish — add Proxy-ARP for a Manual NAT 
add arp proxy ipv4-address 203.0.113.10 interface eth0 real-ipv4-address 203.0.113.1
save config
Verify in expert mode 
fw ctl arp
proxy 203.0.113.10 (00:1c:7f:00:00:01) on eth0

▶ Watch an inbound Static-NAT'd packet reach the server

External user reaches https://webapp.infosys.in. DNS resolves to 203.0.113.10. Press Play to see the destination get rewritten.

① INGRESS 122.176.45.89:54123203.0.113.10:443
Customer in Bengaluru hits the public IP. Arrives on the external interface.
② ANTI-SPOOFING (pre-NAT) Source 122.176.45.89 checked against external-interface topology. Internet sources are expected here → Pass.
③ NAT MATCH (destination) Auto Static NAT rule fires: 203.0.113.1010.50.5.10. Destination will be rewritten at egress to DMZ.
④ POLICY MATCH Rule "Allow Web Pub" — src=Any, dst=10.50.5.10 (real IP, not public), svc=HTTPS → Accept.
⑤ TRANSLATE & FORWARD 122.176.45.89:5412310.50.5.10:443
DMZ interface egress. Web server sees the real client IP intact and replies through the firewall.
Watch where anti-spoofing fires (pre-NAT — original source) vs where the destination gets translated (after NAT match).
Quick check · Q2 of 10

Priya configured Static NAT (Manual rule) to publish a DMZ server. External pings to the public IP get no reply, even though the policy rule shows Accept. What's the first thing to check?

Correct: d. Manual NAT in the same subnet as the gateway's external interface needs a Proxy-ARP entry. Without it, upstream routers ARP for the NAT IP and get no reply. Auto NAT installs Proxy-ARP automatically; Manual does not (unless you enable the sk114395 global flag).
Proxy-ARP requirement decision matrix 3 scenarios — Auto NAT same-subnet, Manual NAT same-subnet, Manual NAT different-subnet — and whether each needs Proxy-ARP. Proxy-ARP — when you need it, when you don't Auto NAT (same gateway subnet) ✓ AUTO SmartConsole installs Proxy-ARP automatically if NAT Global Properties Manual NAT (same gateway subnet) ✗ MANUAL clish: add arp proxy ... OR enable sk114395 flag Most-missed L1 step Any NAT (different subnet) N/A No Proxy-ARP needed Upstream needs a static route to the NAT IP
Figure 2 — Proxy-ARP decision matrix. Auto NAT in gateway subnet = auto Proxy-ARP. Manual NAT same subnet = YOU add it. Different subnet = static route upstream.

③ The 5-tier NAT Rule Base order (CCSA's favourite question)

When both Auto and Manual NAT exist, the gateway evaluates rules in this exact order:

1 Auto Static NAT for Gateway / Host objects AUTO
2 Auto Hide NAT for Gateway / Host objects AUTO
3 Auto Static NAT for Network / Address-Range objects AUTO
4 Auto Hide NAT for Network / Address-Range objects AUTO
5 Manual NAT rules (first match wins) MANUAL
Mnemonic — "Ashok Aaya Aage Aage, Manual Peeche"

A.S → A.H → A.S → A.H → Manual. Hindi/Hinglish memory cue. Yes, it's silly. Yes, you'll remember it five years from now.

The L1 trap: someone writes a Manual Hide rule for a network and expects it to override an Auto Static for a host inside that network. It doesn't. Auto Static for the host (tier 1) fires before Manual (tier 5). The fix is to either convert the auto rule to manual (so everything is in tier 5 and order is visible), or exclude the host from the manual rule's source range.

The 4 NAT methods compared (cheat-sheet)

🎯
Static
tap

1:1 bidirectional. Both sides initiate. Works with TCP/UDP/ICMP/IPsec/GRE/IGMP. Publishing servers (DMZ web, mail, SAP).

📞
Hide behind GW
tap

Many → gateway's own external IP. Cheapest outbound NAT. Inbound-only blocked. Default lab choice.

📌
Hide behind IP
tap

Many → a chosen public IP (not the GW IP). Use when ISP gave a dedicated outbound IP for logging/reputation. Needs Proxy-ARP or upstream route.

🎰
IP Pool
tap

Many → pool of public IPs (round-robin). Bidirectional. Supports IPsec/GRE/IGMP. MEP VPN, X11 back-connections, one-conn-per-IP protocols.

fw monitor 4-stage inspection points + NAT visibility Linear flow showing i (pre-inbound), I (post-inbound, post-DNAT), o (pre-outbound), O (post-outbound, post-SNAT) with which NAT changes are visible at each. fw monitor — 4 inspection points + where NAT happens i I o O pre-inbound PRE-NAT original src + dst post-inbound POST-DNAT dst rewritten here pre-outbound PRE-SNAT src still original post-outbound POST-SNAT src rewritten here DNAT SNAT Run: fw monitor -e 'accept host(10.20.5.50);' -m iIoO — see all 4 stages
Figure 3 — fw monitor 4 inspection points. DNAT happens between i and I. SNAT happens between o and O. R80.20+ sees SecureXL packets natively.

④ The troubleshooting playbook — fw monitor stages

The most powerful NAT debug tool on Check Point is fw monitor. It captures packets at four inspection points relative to the firewall kernel:

Inspection points (i, I, o, O) 
i  (small i) — pre-inbound  : before FW VM, ingress side. Original src/dst.
I  (cap I)   — post-inbound : after FW VM, ingress. Post-DNAT visible from here.
o  (small o) — pre-outbound : before FW VM, egress. Pre-SNAT.
O  (cap O)   — post-outbound: after FW VM, egress. Post-SNAT visible only here.

What gets rewritten where:

Real syntax — debug a NAT decision for a specific host 
fwaccel off    # only if you need to see SecureXL flows (R80.20+ usually unnecessary)
fw monitor -e 'accept host(10.50.5.10);' -m iIoO -o /var/log/nat_debug.cap
fwaccel on
What a passing flow looks like 
[vs_0][fw_2] eth0:i[60]: 122.176.45.89 -> 203.0.113.10 (TCP)
[vs_0][fw_2] eth0:I[60]: 122.176.45.89 -> 10.50.5.10  (TCP)   ← post-DNAT
[vs_0][fw_2] eth1:o[60]: 122.176.45.89 -> 10.50.5.10  (TCP)
[vs_0][fw_2] eth1:O[60]: 122.176.45.89 -> 10.50.5.10  (TCP)   ← egress to DMZ
Quick check · Q3 of 10

Karthik runs fw monitor -m iIoO for an outbound flow and sees the original LAN IP at every stage — no SNAT. The NAT rule clearly exists and is enabled. Most likely cause?

Correct: a. Pre-R80.20 SecureXL flows bypass the slow-path FW VM that fw monitor taps into, so the capture misses them. Either disable SecureXL temporarily (fwaccel off) or upgrade — R80.20+ fw monitor sees SXL packets natively.
Anti-spoofing runs BEFORE NAT — pre-NAT source check Sequence showing packet ingress — Anti-spoofing checks source against pre-NAT topology — NAT happens after. Anti-Spoofing runs BEFORE NAT — checks PRE-NAT source ① Ingresspkt arrives on iface ② Anti-Spoofingchecks PRE-NAT src vs topology ③ NAT matchrule fires ④ Translateaddr rewritten Common L1 fail: Interface topology lists POST-NAT public range instead of PRE-NAT internal range. Anti-spoofing drops every inbound connection from the inside. Log reason = "Address spoofing".
Figure 4 — Anti-spoofing + NAT order. Topology MUST list pre-NAT internal subnets. Post-NAT public range behind internal interface = self-DoS.

Anti-spoofing + NAT — the trap that sinks 30% of static-NAT debugs

Anti-spoofing runs BEFORE NAT on ingress. It checks the source IP of the packet as it arrives — i.e. the pre-NAT (original) source. So the interface's topology must list the pre-NAT networks that legitimately arrive on that interface.

The fail pattern: you publish a server with Static NAT 10.50.5.10 → 203.0.113.10 on DMZ interface. Then the inside DMZ topology gets set to "Network defined by gateway IP and Net Mask" which somehow now includes 203.0.113.0/24 instead of 10.50.5.0/24. Anti-spoofing sees inbound traffic with src=122.176.45.89, says "not in my DMZ topology", drops. Log reason: Address spoofing.

Common mistake — Anti-spoofing topology with post-NAT network

Put the post-NAT (public) range behind the internal interface? Anti-spoofing drops every connection from the inside that just got its source NAT'd. The right answer is to list the pre-NAT internal subnets in the topology — Anti-spoofing runs on original addresses.

NAT-in-VPN — the checkbox most engineers miss

You build a site-to-site VPN. Tunnel comes up. Phase 1 + Phase 2 success. But traffic doesn't cross — peer firewall logs "according to the policy the packet should not have been decrypted". Why? Because your LAN traffic is getting Hide-NAT'd before entering the tunnel, and the VPN encryption domain on the peer expects to see the original 10.x address, not your Hide-NAT'd public IP.

Fix: in the VPN community Advanced → tick "Disable NAT inside the VPN community". Now the gateway skips Hide-NAT for traffic destined to peers in this community. Original IPs reach the peer; their encryption domain matches; traffic flows.

Scope limit

"Disable NAT inside the VPN community" applies to Hide NAT only. If you have Auto Static NAT on a host, it still NATs in-tunnel. For dual-NAT scenarios (overlapping LANs between peers) you'll need Manual NAT rules with explicit "inside community" conditions.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer drawn from this lesson + Check Point R81+ docs + CheckMates threads. No login.

Pre-curated answers from Check Point R81.20 admin guide + CheckMates + Ram's L3 production notes. For deeper / live questions, paste your output into chat.techclick.in.

The 5 mistakes that cost L1 candidates the interview

Mistake 1 — Manual NAT in gateway subnet without Proxy-ARP

Upstream router ARPs for the NAT IP, gets silence, traffic black-holes. Always add the proxy-ARP entry or enable the sk114395 flag.

Mistake 2 — Interface topology with post-NAT range

Anti-spoofing runs pre-NAT. List the original internal subnets in the topology, not the public translated range.

Mistake 3 — Manual rule expected to override Auto rule

NAT rule base order — Auto tiers 1–4 evaluate before Manual tier 5. Convert all to Manual if you need explicit order control.

Mistake 4 — NAT-in-VPN forgotten

"Disable NAT inside the VPN community" not ticked → Hide NAT rewrites tunnel traffic → peer rejects on encryption-domain mismatch.

Mistake 5 — Pushing policy and expecting instant NAT flip

Existing connections keep old translation. Only new flows pick up the change. Flush via fw tab -t fwx_alloc -x only in a maintenance window.

📝 Check your understanding — 10 questions, 70% to pass

Q1–Q3 above already count. Below are Q4 to Q10. Score saves to your profile.

Q4 of 10 · Remember

What is the locked evaluation order of the Check Point NAT Rule Base?

Correct: b. "Ashok Aaya Aage Aage, Manual Peeche". Auto for Host objects always evaluates before Auto for Network objects, and both before Manual. Manual is first-match-wins WITHIN its own tier.
Q5 of 10 · Analyze

A site-to-site VPN's tunnel is UP (Phase 1 + 2 OK) but no traffic crosses. Peer logs say "packet should not have been decrypted". Encryption domains on both sides look correct. What's the most likely cause?

Correct: c. Classic. Tunnel comes up because IKE finishes successfully, but data plane traffic gets Hide-NAT'd to a public IP that isn't in the peer's encryption domain. Peer drops it as "out-of-domain decrypt". The fix is one checkbox in the VPN community Advanced tab. (a) and (d) would fail Phase 1, not data flow.
Q6 of 10 · Analyze

Sneha publishes a server with Static NAT. External hosts can ping the gateway's external IP but get no reply when pinging the published NAT IP. Logs show no drop entries. Where is traffic dying?

Correct: c. No drop logs = traffic never reached the firewall's policy engine. That points to ARP — upstream router doesn't know where to send packets for the NAT IP. Auto NAT installs Proxy-ARP automatically; Manual NAT does not (unless sk114395 flag is on). Add manually with the clish command. Verify with fw ctl arp.
Q7 of 10 · Analyze

Aditya runs fw monitor -m iIoO to watch an inbound published-server flow. At which inspection point will he FIRST see the destination IP rewritten from the public to the internal IP?

Correct: b. Destination NAT happens between i and I. So at I and onwards you see the post-DNAT destination. (a) shows the original; (c) and (d) are egress — they'll show the same post-DNAT dst plus eventual SNAT changes.
Q8 of 10 · Analyze

Priya wrote a Manual Hide rule for 10.20.0.0/16 → public IP X. She expects all LAN hosts to egress with IP X. But host 10.20.5.10 (which has an Auto Static rule from a previous publishing exercise) still egresses with its own public IP Y. Why?

Correct: a. NAT rule base order is locked. Auto Static (Host) = tier 1 fires before Manual = tier 5. To get explicit control, either convert the auto rule to manual or use the source-range exclusion. Reference: sk98989.
Q9 of 10 · Evaluate

A partner needs to reach an internal SAP server with full bidirectional TCP, UDP, plus an IPsec tunnel for production data replication. Which NAT method is right and why?

Correct: c. Hide NAT only supports TCP/UDP/ICMP — IPsec needs Static or IP Pool. Static gives the partner a fixed public IP for the SAP server, accepts inbound from partner, and passes IPsec replication. (d) IP Pool would work but is overkill for a single 1:1 mapping. (a) fails on IPsec. (b) needs partner-side awareness of internal IPs — typically a no-go.
Q10 of 10 · Evaluate

An MEP VPN design needs each remote satellite to terminate on either of two HA Center gateways. Returning traffic must be source-symmetric (same IP that initiated reads the reply). Best NAT method on the Center side?

Correct: b. IP Pool NAT was designed precisely for MEP scenarios. Each session takes a unique IP from the configured pool, so the reply travels back to the same Center gateway that owns that IP. Hide NAT (a) creates port collisions across centers and breaks IPsec. (c) defeats the purpose of MEP HA. (d) doesn't scale — you'd need one static per satellite, with Proxy-ARP gymnastics.
Lesson complete — score saved to your profile.
Score below 70%. Re-read the section you got wrong — every L1 interview tests these.

Next up — Check Point Site-to-Site IPsec VPN

You can now read which NAT rule fired and where Proxy-ARP died. Next: IKEv1/v2, Star vs Mesh, VPN domain mismatches, and the vpn debug ikeon playbook. Coming in the next blog drop.

← Previous: Policy Layers Practice CCSA MCQs at exam.techclick.in

Sources cited inline

  1. R81 Admin Guide — Configuring the NAT Policy
  2. R81 — Automatic and Proxy ARP
  3. R81 — NAT and Anti-Spoofing
  4. R81 — Disabling NAT in a VPN Tunnel
  5. R81 CLI Reference — fw monitor
  6. sk30197 — Proxy ARP for Manual NAT
  7. sk114395 — Auto Proxy ARP with Manual NAT Rules
  8. sk98989 — Ordering of Automatic NAT Rules
  9. CheckMates — A Primer on Anti-Spoofing
  10. CCSA R81.20 (156-215.81.20) Syllabus