This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
solaris77
Explorer
‎2021-01-28 07:08 PM
Jump to solution

Question: one public IP on outside NIC of FW used for outbound internet access and inbound access

Hello,

I have a real virtual Checkpoint Security Gateway setup scenario: carrier who provides the virtual computing platform can only allow one public IP on virtual  Checkpoint Security Gateway instance running Checkpoint v80.20, i.e. the internet-facing interface IP, no other public IP range could be allocated due to platform restriction.  

The virtual checkpoint SG setup requirements:

1) setup outbound internet access, setup Hide NAT for all internal subnets with the outside interface IP;

2) setup static NAT on FW for inbound access using the same outside interface IP, so remote client VPN access could get to the VPN Concentrator which sits within DMZ behind FW

The questions are: 1) is it doable 2) any FW NAT/Arp/local Port range setup issues; 3) any performance concerns

I haven't setup the test environment yet, I'm wondering if anyone could give some valuable comments/advices.

  

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2021-01-30 10:04 AM
Jump to solution

You should be able to achieve this, provided that you do not have IPSec enabled on Check Point, if your VPN concentrator is using it, or you may have to change the default portal port if you are looking to implement SSL/TLS VPN from behind Check Point.

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2021-01-29 10:15 PM
Jump to solution

You can do the first thing easily enough.
The second should be possible depending on the ports required.
That said, the Check Point gateway can also terminate VPN connections (with appropriate licenses).

0 Kudos
solaris77
Explorer
‎2021-01-30 04:36 PM
In response to PhoneBoy
Jump to solution

Thanks for confirmation.

We'll use standalone TLS/DTLS based VPN concentrator, static NAT on Checkpoint Security Gateway, VPN traffic could be directed to box behind FW, port forwarding setup would be applied to both TCP and UDP 443, no http/https services would be enabled on Checkpoint Security Gateway.  

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-01 02:49 PM
In response to solaris77
Jump to solution

Note that there is something called multiportal that may impact usage of TCP 443.
Recommend that you change the Gaia WebUI port to something other than 443.
A couple other changes may be required.

0 Kudos
Vladimir
Champion
Champion
‎2021-01-30 10:04 AM
Jump to solution

You should be able to achieve this, provided that you do not have IPSec enabled on Check Point, if your VPN concentrator is using it, or you may have to change the default portal port if you are looking to implement SSL/TLS VPN from behind Check Point.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2021-01-30 10:18 AM
In response to Vladimir
Jump to solution

Problem you will be running into is that you cannot NAT ESP traffic and most VPN concentrators really do not like to be NATted.

So I hope for you it will work but I have my doubts.

Regards, Maarten
0 Kudos
solaris77
Explorer
‎2021-01-30 04:39 PM
In response to Maarten_Sjouw
Jump to solution

Not the IPsec based VPN Concentrator for which the NAT-Transversal feature needs be supported for NAT devices in between.  We're using the TLS/DTLS based VPN concentrator, NAT with devices in between should not a problem.    

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-01-30 03:40 PM
Jump to solution

Hard to say in regards to performance issues...in my own personal experience, EVERY vendor will tell you how their firewalls work based on MINIMUM requirements and basic setup, so I always take it with a grain of salt : ). Having said that, I would say it is doable and as phoneboy said, setup should work based on ports required. Also, again, just my own personal experience, I had seen where different customers use same setup and gateways and it works for one, but not the other. There are so many factors that can affect this...(network itself, proxy used?, acceleration...)

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
solaris77
Explorer
‎2021-01-30 04:44 PM
In response to the_rock
Jump to solution

Yes, literally  the setup should work. We'll do some load testing to simulate the large WFH traffic throughput case.   

0 Kudos
Vladimir
Champion
Champion
‎2021-01-30 04:58 PM
Jump to solution

BTW, you may want to locate it in DMZ, create an IPS/AV exception for Internet-to-concentrator, but leave the Anti-bot in place.

You can inspect/control the traffic from concentrator to your internal networks using policies.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events