topic Re: Configure Public IP address directly on a server behind Checkpoint in Firewall and Security Management

Configure Public IP address directly on a server behind Checkpoint

kenn2000 — Tue, 05 Jul 2022 04:58:29 GMT

Hi Everyone,

We are in process of implementing Mitel MiCollab and the requirement is the WAN interface of the Micollab server should have public ip assigned directly on it. NATting from public ip to private ip does not support.

The MiCollab server is a VM behind the Checkpoint.

How could I achieve this setup with Checkpoint?

Thank you.

Re: Configure Public IP address directly on a server behind Checkpoint

_Val_ — Tue, 05 Jul 2022 08:19:57 GMT

setup a DMZ

Re: Configure Public IP address directly on a server behind Checkpoint

Chris_Atkinson — Tue, 05 Jul 2022 10:13:17 GMT

As Val has hinted another interface/VLAN from the Check Point addressed with the public subnet and configuration pertinent for a DMZ.

Re: Configure Public IP address directly on a server behind Checkpoint

kenn2000 — Wed, 06 Jul 2022 00:29:32 GMT

Thank you all for your comments.

Sorry I am new to Checkpoint so needing your help further.

We currently have DMZ with a different subnet.

All public IPs have been forwarded to External on a bond Interface.

So I don't know how another DMZ network/Interface will work as what would be the IP address/subnet for them?. What I am understanding is each Interface should have a different subnet.

Could you please help explaining further?

Thank you very much.

Re: Configure Public IP address directly on a server behind Checkpoint

Chris_Atkinson — Wed, 06 Jul 2022 08:43:45 GMT

Having public address on only the external interface cannot achieve this if the objective is not to use NAT.

The vendor of Firewall doesn't matter in this context.

Does the existing DMZ have/use public addresses (Y/N)?

Yes - Connect the Mitel here with an IP from that subnet.

No - You will likely have to create a new DMZ involving networking/routing changes & possibly requesting extra or new IP addresses from your ISP.

Re: Configure Public IP address directly on a server behind Checkpoint

Bob_Zimmerman — Wed, 06 Jul 2022 13:56:19 GMT

@Chris_Atkinson wrote:

Having public address on only the external interface cannot achieve this if the objective is not to use NAT.

Sure you can. It's really easy.

Pick a new network which will contain the MiCollab box. It can be private, and should be at least a /30 for a single firewall or a /29 for a two-member cluster.
Assign an IP in this network for the firewall. If using a cluster, also assign an IP for each member.
Assign the public IP to the MiCollab box.
Set the MiCollab box's default route to the private IP on the firewall's interface.
Add a 32-bit interface route pointing the public address out the firewall's interface connected to the network with the MiCollab box. The command to add this route will look like this:

set static-route 1.2.3.4/32 nexthop gateway logical eth1.2345 on

Due to a complicated set of requirements, I have a firewall which works like this in my environment. It's a bit weird to get used to, but pretty solid.

Re: Configure Public IP address directly on a server behind Checkpoint

Chris_Atkinson — Wed, 06 Jul 2022 14:04:33 GMT

Thanks Bob, I was making an assumption from what was said that routing changes were out of scope or not possible due to the size of the existing external subnet.

Re: Configure Public IP address directly on a server behind Checkpoint

Vladimir — Thu, 07 Jul 2022 02:02:10 GMT

Depending on the size of your public IP network, this could be accomplished by breaking it into smaller subnets.

Create DMZ using one of the small subnets with public IPs and place your Mitel unit in it.

You will have to configure static routes on the ISP router to forward traffic destined to individual subnets to use Check Point's external IP as the gateway.

Re: Configure Public IP address directly on a server behind Checkpoint

kenn2000 — Thu, 07 Jul 2022 03:32:03 GMT

Thank you @Bob_Zimmerman , @Chris_Atkinson and everyone for tipping the idea.

I now understand how it can be done. It is more complicated that I first thought where it could be just simply a special config in Checkpoint to bridge the traffic directly to Micollab in DMZ.

Will need to involve more parties into the solution.

Much appreciated.

Re: Configure Public IP address directly on a server behind Checkpoint

blacx_13 — Wed, 06 Sep 2023 10:08:54 GMT

Hi Bob,

I'm fairly new with checkpoint, i just have few clarifications with this solution. let me know if my assumptions are correct.

4. I am using a layer 2 switch on the DMZ, would this solution still work

5. Im a bit confused on the command will it be something like this based on the diagram

set static-route 1.1.1.2/32 nexthop gateway logical eth.xx (WAN) on

Re: Configure Public IP address directly on a server behind Checkpoint

Bob_Zimmerman — Wed, 06 Sep 2023 20:59:18 GMT

4. Yes, you would need to use a switch. Having a router in the path makes things a bit more complicated, but still possible.

5. You don't have interface names on that diagram, but it would be 'set static-route 1.1.1.2/32 nexthop gateway logical <interface leading to the switch labeled DMZ> on'. You would then need to set the default route on 1.1.1.2 to be the cluster VIP on that interface. You should not use a public IP for that VIP.

Re: Configure Public IP address directly on a server behind Checkpoint

blacx_13 — Thu, 07 Sep 2023 02:14:11 GMT

btw, this is not a part of a cluster. so it would be something like this ? since I dont have any VIP
'set static-route 1.1.1.2/32 nexthop gateway eth3 (20.20.20.1 interface) on'

Re: Configure Public IP address directly on a server behind Checkpoint

Bob_Zimmerman — Thu, 07 Sep 2023 14:24:29 GMT

set static-route 1.1.1.2/32 nexthop gateway logical eth3 on

And remember, you need to set the endpoint's default route to the firewall's address on eth3. You may also need to give the endpoint a route to the firewall's address telling it to go out a particular interface. The right way to set all that up depends on the OS on the endpoint.