Introduction

Another method to secure your internal network or DMZ network behind the firewall is to assign it a network or subnet from one of the reserved IP network numbers for private addressing. These address ranges were set aside by the Internet Assigned Numbers Authority (IANA) to conserve the limited amount of address space available as defined in RFC 1918. These numbers are assigned for reuse by any organization, so long as they are not routed outside of any single, private IP network. This means that they cannot be routed over the Internet, which provides you with a network more easily secured from outside attack.

Even if you are not using one of the IANA-reserved addresses for private networks, you can still utilize Network Address Translation (NAT) to hide your internal network and servers from the Internet. If you are using a private address internally, then you must use some external, Internet-routable network for Internet communications.

We will show you how to set up hiding NAT on your network objects and one-to-one NAT on your workstation objects in this chapter. We will also show you how you can set up some port address translation and other interesting NAT rules by manually adding rules under the Network Address Translation tab in your Policy Editor. If you read the previous chapter on creating your security policy, then once you're done with this chapter, you should have a fully functional Check Point VPN-1/FireWall-1 Next Generation firewall to put on the wire and start...