Check Point - Client vs Server Side NAT Page 1 of 7

(htps:/www.fir3net.com)

(http://sdntraining.com/?
utm_source=FIR3NET&utm_medium=Banner1&utm_campaign=Ad&utm_content=Security)

Home (/) ∠ Articles (/Articles.html) ∠ Firewalls ∠ Check Point (/Firewalls/Check-Point/)

∠ Check Point - Client vs Server Side NAT

Check Point - Client vs Server Side

NAT
Written by Rick Donato on 30 July 2008. Posted in Check Point (/Firewalls/Check-Point/)

17

INTRODUCTION
Client and Server side NAT relates to when we perform destination NAT`ing.
The "Translate destination on Server side" option is an legacy option which was included due to pre
NG versions of checkpoint using Server-Side NAT.

Client Side NAT - The destination address is NAT`d by the inbound Kernel
Server Side NAT - The destination address is NAT`d by the outbound Kernel

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26
Check Point - Client vs Server Side NAT Page 2 of 7

(htps:/www.fir3net.com)

Note : Source NAT always happens on the Outbound Kernel.

Note : Rule > NAT - The kernels will  always process the rules before the NAT.

SO WHY DOES THIS MATTER ?

Well when we use client side NAT the IP address is NAT`d before it hits the routing table. So we can
route the packet based on the real IP. 
But when we use Server side NAT the IP is NAT`d after passing the routing table so there has to be
a route for NAT`d (fake) IP in the routing table so that the operating system can pass the packet to
the correct interface.

To explain things a little easier have a look at the diagram below,

So we want to access the server (10.8.8.1). If we use Client Side NAT the inbound kernel will NAT
the destination IP (192.168.8.1) to the real IP (10.8.8.1) and then pass the packet to the (OS)
routing table. Which as you can see will have the routing entry for this subnet and pass it out (via
the outbound kernel) to the interface (eth0).

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26
Check Point - Client vs Server Side NAT Page 3 of 7

the packet would not get NAT`d by the inbound kernel. It would get
(htps:/www.fir3net.com)

route this packet, the packet would pass through the outbound kernel which would NAT the
destination IP to 10.8.8.1.

NOTE: CLIENT AND SERVER SIDE NAT ARE OPTIONS ONLY FOR D ESTI NATION
NAT.

ADDITIONAL
• Types of Check Point NAT - Click Here (/Checkpoint/types-of-nat.html)
• Proxy ARP - Click Here (/Checkpoint-SPLAT/proxy-arp-splat.html)

9 Comments Fir3net.com 
1 Login

 Recommend Sort by Newest

⤤ Share

Join the discussion…

LOG IN WITH OR SIGN UP WITH DISQUS ?

Name

mario • a year ago

Hello, great explanation!
One question, how should be the route added?
I tried but didn't work this way:
set static-route 192.168.8.1/32 nexthop gateway logical eth0 on
• Reply • Share ›

Giuseppe Carmine Illiano • 2 years ago

very clear, you rock!
• Reply • Share ›

prasanth • 6 years ago

good explanation..
• Reply • Share ›

gayatri • 6 years ago

hi,
does anyone know where is the boot manager located in an an ip appliance
• Reply • Share ›

Maninder Singh > gayatri • 4 years ago

Hi,

Boot Manager is locaed on the Flash Card in the IP appliance

• Reply • Share ›

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26
Check Point - Client vs Server Side NAT Page 4 of 7

(htps:/www.fir3net.com) JW_DISQUS_BACK_TO_TOP

(http://www.dmca.com/Protection/Status.aspx?ID=bf4475b8-9010-

4516-a707-6cfbe96736e7&refurl=https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-
side-nat.html)

$0.17/Mbps IP
Transit

IPv6+IPv4 and BGP for Your

Network or Internet Company!

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26
Check Point - Client vs Server Side NAT Page 5 of 7

(htps:/www.fir3net.com)

(http://www.host-tracker.com)

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26
Check Point - Client vs Server Side NAT Page 6 of 7

(htps:/www.fir3net.com)

LATEST ARTICLES

How do I add a Space to Selected Lines within VIM? (/UNIX/Linux/how-do-i-add-a-space-to-selected-

lines-within-vim.html)

Python - How to Obtain the Configuration of a Networking Device using NETCONF

(/Networking/Protocols/how-to-operate-a-device-using-netconf-and-python.html)

What is RESTCONF? (/Networking/Protocols/what-is-restconf.html)

An Introduction to NETCONF/YANG (/Networking/Protocols/an-introduction-to-netconf-yang.html)

How to Configure a Cisco CSR using NETCONF/YANG (/Networking/Concepts-and-

Terminology/how-to-configure-a-cisco-csr-using-netconf-yang.html)

A Brief Explanation of Kernel Space and User Space (/UNIX/Linux/what-and-when-is-kernel-space-

and-user-space-used.html)

vSRX on an Isolated Network - How do I Provision via Cloud-Init? (/Cloud/OpenStack/vsrx-on-an-

isolated-network-how-do-i-provision-via-cloud-init.html)

Troubleshooting Connectivity to the Neutron Metadata Proxy (/Cloud/OpenStack/troubleshooting-

connectivity-to-the-neutron-metadata-proxy.html)

OpenStack Neutron - What is Port Security? (/Cloud/OpenStack/openstack-neutron-what-is-port-

security.html)

A Guide to Network Function Virtualization (NFV) (/Networking/Concepts-and-

Terminology/a-guide-to-network-function-virtualisation-nfv.html)
POPULAR ARTICLES

Check Point Commands (/Firewalls/Check-Point/checkpoint-commands.html)

Proxy ARP – SPLAT (/Firewalls/Check-Point/proxy-arp-splat.html)

How to set the Time / Date and Timezone in CentOS (/UNIX/Linux/how-to-set-the-time-date-and-

timezone-in-centos.html)

IPSO - Commands (/Firewalls/Check-Point/ipso-commands.html)

Configuring Windows 2008 R2 as an NTP Server (/Microsoft/General/configuring-windows-2008-r2-

as-an-ntp-server.html)

ASA 8.3 - Auto NAT Examples (/Firewalls/Cisco/how-to-configure-nat-of-asa-83.html)

How to display HTTP Headers via Tcpdump (/UNIX/Linux/how-to-display-http-headers-using-

tcpdump.html)

Juniper Netscreen Commands (/Firewalls/Juniper/juniper-commands.html)

vSphere - Creating User and Group Permissions (/Virtualization/VMware/vsphere-assigning-a-user-

per-virtual-machine.html)

VI shows the error Terminal too wide within Solaris (/UNIX/Solaris/vi-shows-the-error-terminal-too-

wide-within-solaris.html)

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26
Check Point - Client vs Server Side NAT Page 7 of 7

(htps:/www.fir3net.com)


(http://www.fir3net.com/all-
   content-
(https://www.facebook.com/fir3net/)
(http://www.twitter.com/f3lix001)
(https://github.com/rickd3)
rss.html)

About (/Miscellaneous/Site/about-us.html) Sitemap (/sitemap.html)

Partners (/Miscellaneous/Site/partners.html) Login (/Log-in.html)

Contact Us (mailto:rick@donato.me.uk?subject=Fir3net%20Enquiry)

Built with HTML5 and CSS3

Secured by Incapsula (http://www.incapsula.com)

https://www.fir3net.com/Firewalls/Check-Point/client-vs-server-side-nat.html 2018-01-26