Server side and client side nat is the definition of at what point the NAT actually takes place. If we look at the following diagram:
Inet--Router | |(side A) Firewall | | |(side B) Internal Network
In this diagram we assume client is coming in from internet to access a server on internal network:
Server Side NAT -- Is done on side B which is at the last exit point of the firweall kernel. With server side NAT you need to have static routes because when the packets are dropped down to the routing deamon of the firewall they are still the NATTED ip. Translation to the destination ip is the last thing to happen.
Client Side NAT -- Is done on side A, or at the first entry point into the firewall kernel. When you do client side NAT it's simplified because by the time the packet reached the modules routing daemon it's the translated packet so static routes are not necessary.
If I may add to fw1engineer post, in stupid Checkpoint 4.1, Server NAT is being used. That is why you are required to have /32 route for static NAT, for those who used the Nokia platforms you know what I am talking about. Checkpoint NG uses "client" NAT so that /32 route is not needed for static NAT.
Cisco Pix firewall, has been using "client" NAT for as long as I can remember, and I've been using pix OS since version 5.0.3.
Thank you all for your input and assistance..much appreciated.
