3.3 Static NAT (One-to-One)

Key Takeaways

  • Static NAT maps one internal host to one public IP address, bidirectionally translating source and destination
  • It is used to publish internal servers (web, mail, DNS) so external clients can initiate inbound connections
  • Because the public IP must be reachable on the gateway's external segment, the gateway must answer ARP for that IP — proxy ARP
  • Static NAT preserves ports (no port translation); each public IP maps to exactly one internal host
  • Access Control is still required and is evaluated on the original, pre-NAT addresses
Last updated: July 2026

What Static NAT Does

Static NAT is one-to-one address translation. One internal host is mapped to one public IP address, and the translation is bidirectional: when the internal host initiates outbound, its source is rewritten to the public IP; when an external host initiates inbound to the public IP, the destination is rewritten to the internal host. Unlike Hide NAT, ports are not translated — the same port number appears on both sides.

This makes Static NAT the correct choice whenever an internal host must be reachable from the Internet — a published web server, mail server, DNS server, or any service where external clients initiate the connection.

A Typical Static NAT Rule

A Manual Static NAT rule for publishing an internal web server at 10.1.1.100 behind public IP 203.0.113.50 looks like this:

Original SourceOriginal DestinationOriginal ServiceTranslated SourceTranslated DestinationTranslated Service
Any203.0.113.50HTTPOriginal10.1.1.100Original

When an Internet client connects to 203.0.113.50:80, the gateway rewrites the destination to 10.1.1.100:80 and forwards it inside. The internal server replies from 10.1.1.100; the gateway rewrites the source back to 203.0.113.50 so the client sees a consistent endpoint.

For traffic the server itself originates (for example, fetching OS updates), a second rule — or the same rule with broader columns — rewrites the source from 10.1.1.100 to 203.0.113.50 so the server's outbound traffic also appears from its public IP. When you enable Automatic Static NAT on the server object, Check Point generates both directions for you.

Why Proxy ARP Matters

Here is the part CCSA questions repeatedly test. The public IP 203.0.113.50 is not assigned to any interface — it is a "virtual" address that the gateway translates to the internal server. But the upstream router, on the same external subnet as the gateway, must be able to deliver packets addressed to 203.0.113.50. Routers use ARP to find the MAC address for a destination IP on the local subnet. Without an ARP response, the router cannot build the Ethernet frame, and the packet never reaches the gateway.

The gateway therefore must answer ARP requests for 203.0.113.50 as if that IP belonged to it. This is proxy ARP — the gateway responds to ARP on behalf of another IP. There are two ways to make it happen on R82:

  1. Automatic, via Automatic NAT: when you enable Automatic Static NAT in the host object's NAT tab, the gateway adds the proxy ARP entry automatically at policy install (and removes it when the rule is removed).
  2. Manual, via Gaia: when you write a Manual Static NAT rule, you must add the proxy ARP entry yourself using clish (add arp proxy ipv4-address 203.0.113.50 interface eth1 mac-address auto) or the Gaia Portal. The Security Management Server does not auto-generate ARP for Manual rules.

Without proxy ARP, the symptom is deterministic: external clients time out, and a packet capture on the gateway's external interface shows the inbound packets never arriving. The router simply has no MAC to address them to.

A Common Trap: Anti-Spoofing

Check Point gateways run anti-spoofing on each interface, validating that the source of an inbound packet matches the network topology defined on that interface. When you add Static NAT, the gateway now expects to see traffic on its external interface whose destination is a public IP that is not on any interface. The topology rules must be consistent — the public IP must be treated as "behind" the gateway. With Automatic NAT this is handled; with Manual NAT, you may need to verify anti-spoofing does not drop the translated return traffic on the internal interface.

Static NAT vs Hide NAT Side by Side

PropertyHide NATStatic NAT
MappingMany-to-oneOne-to-one
Port translationYes (source port remapped)No
Inbound initiationNot supportedSupported
Use caseOutbound client Internet accessPublishing internal servers
Proxy ARP neededNo (uses gateway's own IP)Yes (for the public IP)
Public IPs consumedOne for many hostsOne per published host

When to Choose Static NAT

Static NAT is correct when:

  • An internal host must accept inbound connections from the Internet.
  • The organization has enough public IP space to dedicate one per published server.
  • The server must be reachable at a stable, well-known public IP (DNS, certificates, partner firewalls allowlisting that IP).
  • Two-way traffic must appear to originate from the public IP (some applications embed the source address in the protocol or in logs).

A Worked Example

A company owns the public subnet 203.0.113.0/28 and uses 203.0.113.50 for the web server and 203.0.113.51 for the mail server. Both servers physically live at 10.1.1.100 and 10.1.1.101 on an internal segment. The administrator creates two host objects, enables Automatic Static NAT on each (mapping 203.0.113.50 to 10.1.1.100 and 203.0.113.51 to 10.1.1.101), and installs the policy. The gateway now answers ARP for both public IPs on its external interface, rewrites inbound destinations to the internal addresses, rewrites outbound sources from the internal addresses to the public addresses, and Access Control rules still govern which services each server is allowed to receive or initiate.

Test Your Knowledge

Why does a Manual Static NAT rule for publishing an internal web server require proxy ARP on the gateway's external interface?

A
B
C
D
Test Your Knowledge

Which property distinguishes Static NAT from Hide NAT in Check Point R82?

A
B
C
D
Test Your Knowledge

An external client connects to 203.0.113.50:443 (the published public IP of an internal web server at 10.1.1.100). Which addresses does the Access Control layer evaluate?

A
B
C
D