topic Re: Static NATs for overlapping subnets in General Topics

Static NATs for overlapping subnets

phlrnnr — Fri, 18 Jan 2019 21:34:40 GMT

When organizations merge, there are often requirements for connecting the networks of the different businesses when they still have overlapping RFC1918 IP space. Is there a way on a single Check Point firewall/cluster to provide the NAT for both directions between organizations when the address space overlaps?

Take for example:

SiteA/Server 1 = 10.1.1.1 static NAT to 172.16.1.1

SiteB/Server 1 = 10.1.1.1 static NAT to 172.17.1.1

Assumptions:

All servers at SiteA are statically source NAT'd to something in 172.16.1.0/24
All servers at SiteB are statically source NAT'd to something in 172.17.1.0/24

Can a single firewall handle the NATs in both directions if SiteA/Server1 had to communicate with SiteB/Server 1?

In theory, A1 would send a request from 10.1.1.1 -> 172.17.1.1. The FW would NAT the source to 172.16.1.1 and the destination to 10.1.1.1. B1 would receive the packet and reply 10.1.1.1 -> 172.16.1.1. The FW would NAT the source to 172.17.1.1 and the destination to 10.1.1.1.

I realize this would cause trouble for Anti-spoofing, but would it work?. Are the manual NAT rules flexible enough to handle this scenario? Is the real killer going to be routing since the 10.1.1.x network exists on both sides? If only the FW could NAT/route based on traffic direction and/or interface zone.

Thanks for mulling this over with me.

Re: Static NATs for overlapping subnets

Kaspars_Zibarts — Fri, 18 Jan 2019 22:26:25 GMT

You answered yourself - can you really have routing to 10.1.1.1 on "both" sides? Not really. You would need two routers/firewalls with intermediate network that can hide two identical networks to allow this. We have it deployed between lab that fully replicates production and real production.

In nutshell, you can't really send the same IP address in two different directions

Re: Static NATs for overlapping subnets

phlrnnr — Mon, 21 Jan 2019 15:13:26 GMT

Thanks for clarifying what I was already thinking. My brain started going down this road after reading this document that shows how this can be done on a Cisco router (See the second example that does NOT use DNS, but static NATs). I was hoping we may be able to get away with doing something similar on the Checkpoint.

Re: Static NATs for overlapping subnets

Kaspars_Zibarts — Mon, 21 Jan 2019 18:21:17 GMT

Indeed, we have implemented this Cisco solution in our network too where Cisco router adjusts DNS replies. It really depends on requirements and expected volumes of overlap. There are some tricks you could do but all depends on actual requirements. Cisco is certainly step ahead here

Re: Static NATs for overlapping subnets

Maarten_Sjouw — Mon, 21 Jan 2019 21:26:56 GMT

In these type of cases you could think outside the box and setup a VS on the same FW, Problem here is that you will need to rebuild the gateway/cluster. But it will give you the advantage that you will have 2 gateways each to handle a side of the network. The appliance licenses comes with a license for 1 VS by default.

We did this lately for a customer that has a cluster where we needed to split the traffic from internal with only IPS checks an external with all NGTP checks. We achieved it by running the VS as the internal gateway on GW2 and the actual GW1 as the external gateway. giving it a load sharing option at the same time.

is on

In your case you could set it up so the connection between the actual GW and the VS is used to communicate with the 172 addresses only, so NAT is done on the side the conflicting network.

Re: Static NATs for overlapping subnets

Kaspars_Zibarts — Tue, 22 Jan 2019 06:02:33 GMT

The only issue with 2 gateways (we have that for lab environment connecting back to prod with same IPs) you won't be able to use same DNS, it will be fairly static environment. I somewhat like Cisco DNS reply adjustments better

Re: Static NATs for overlapping subnets

Dre187 — Fri, 28 Oct 2022 16:24:45 GMT

Phil we are trying to solve this same issue. Have you looked at this link?

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Advanced-NAT-Settings.htm

Re: Static NATs for overlapping subnets

G_W_Albrecht — Mon, 31 Oct 2022 07:57:34 GMT

Are you aware of the fact that all these posts are from soon 4 years ago ?