topic Re: Bridge a External IP in General Topics

Bridge a External IP

Satto — Thu, 14 Nov 2024 08:50:31 GMT

Hi,

I have a little complex problem in my big network, I'll try to be specify...

We have a client setting on a modem in a private APN network, this will then connect to a FW on our APN site using VPN before we will connect to our private FW (Checkpoint).

Client (10.250.1.200) -> Modem -> (APN -> VPN(192.168.0.0/16)) -> FW (APN) -> FW (Internal).

The problem, the client need to access a external IP on the Internet, but the APN network doesn't have Internet, so all request will just die/drop, so It need to go though the VPN. The FW (Internal) will have this Internet access, but I can't relay this traffic to this FW with the external IP, so I was thinking to use a internal IP, lets say 192.168.1.100. So the client will pretend to call 192.168.1.100 instead, I see the traffic all the way to the FW(Internal), but here is where the problem start, how do I translate this 192.168.1.100 to External IP and NAT the Client IP with the FW(internal) WAN ip, so I think we are talking about double NAT, I have try everything, but I can't make it to work.

So basic, my client (10.250.1.200) needs to talk with the external IP on port 9000, this need to go though a modem, vpn, fw, fw and then out to the Internet.

I have locally client already on the the FW(Internal) that access the external IP, so we can mess up the external ip to much so it will not work locally anymore!

Anyone have a bright idea , or have I make this to complicate?

/Steen

Re: Bridge a External IP

PhoneBoy — Thu, 14 Nov 2024 14:07:37 GMT

What specifically have you tried to do?
A standard NAT rule should work here, though it might need to be manual and include configuring a proxy ARP for 192.168.1.100 on the internal FW.

Re: Bridge a External IP

Satto — Fri, 15 Nov 2024 06:00:47 GMT

Hi,

Okay lets say for fun I need to access 8.8.8.8:9000.

I have a working NAT rule for client localy on the FW(internal)

NAT rule: OrgSrc(Grp_Client) - OrgDst(8.8.8.8) - TranSrc(0.0.0.0 H)

For the new solution, I pick out a IP(free) from a existent subnet on my FW(internal), right or wrong I don't know.

NAT rule OrgSrc(10.250.1.200) - OrgDst(192.168.1.100) - TranDst(8.8.8.8 S) - Not working

NAT rule OrgSrc(10.250.1.200) - OrgDst(192.168.1.100) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S) - Not working

Proxy Arp is new for me, where do I make that configuration?

/Steen

Re: Bridge a External IP

PhoneBoy — Fri, 15 Nov 2024 13:34:35 GMT

The procedure for configuring manual proxy arp is here: https://support.checkpoint.com/results/sk/sk30197

Re: Bridge a External IP

Satto — Mon, 18 Nov 2024 12:01:22 GMT

Hi,

You think you know NAT but every time you are surprise...:)

I read some other case you have answer, you said that if I use auto NAT on a host, the NAT arp will also be automatic.

First, what is the right way to create a host in CP, is that:

1. Address 8.8.8.8 and NAT 192.168.1.100 (Hide or static?)

2. Address 192.168.1.100 and NAT 8.8.8.8 (Hide or static?)

Also is it right to pick a address from another subnet on the Internal FW, that is already in use, if we say that:

8.8.8.8 in on eth1

192.168.1.100 on eth 2

10.250.1.200 arrive on eth 3

Im stuck, so any help is greatly appreciated.

/Steen

Re: Bridge a External IP

PhoneBoy — Mon, 18 Nov 2024 14:22:32 GMT

Your host object should be created in terms of the “real” IP (without NAT).
More specifically the real IP (8.8.8.8 in your example) will be the main object IP.
Proxy ARP is only needed when the translated IP (192.168.1.100 in your example) is on the same subnet as your gateway.
Otherwise you can use any unused subnet provided the gateway is the “default route” for the traffic.

Re: Bridge a External IP

Satto — Tue, 19 Nov 2024 10:56:29 GMT

Hi,

Nothing will work, so I try something else, and now is working fine.

I did a Host object with the 8.8.8.8 and no NAT.

Then a NAT rule on the incoming FW (internal) cluster interface instead of a virtual IP.

NAT rule OrgSrc(10.250.1.200) - OrgDst(FW Internal cluster IP) - OrgService(9000) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S)

so now it is running, many hours later:)

/Steen