cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Access to internet from FW

Hi there!

I'm trying to get access to internet from Checkpoint FW. I can't even ping something from cli of my FW.

So here is my configuration.

We are using BGP peering with ISP. To announce our AS to ISP I use static blackhole route with AS network.

I configured NAT police to get access to internet for our users. So it's work nice.

What else I need to configure to get access to internet from CP FW.

Thanks in advance and sorry for my english.My config

6 Replies
Danny
Pearl

Re: Access to internet from FW

HI Dmitry,

within your GAiA WebUI besides Advanced Routing > BGP you also need to have Route Aggregation, Inbound Route Filters and Route Redistribution properly configured.

Re: Access to internet from FW

I'm using Inbound route Filters to filter inbound routes and it works correct. As I said everething is okay for users, they have any access what they want and NAT works perfect, the only problem with access to internet from FW... I can't check for updates or even ping internet resources.

0 Kudos
Jerry
Gold

Re: Access to internet from FW

can you not make yourself a static route out for the cp-host?

what about the dns resolution? in order to access CPUSE you need name resolution on the cp host itself, are you aware of that? what about NTP on the box as bgp relies on it?

Jerry

Re: Access to internet from FW

I've already configured DNS servers and they work correct.

The thing is when I'm trying to get updates, Checkpoint uses external interface as source interface. In my case it has ip address 10.1.1.1/30, as you know it's a private address. I would like it to look like public address from my AS address range. How to do it?

 
0 Kudos
Admin
Admin

Re: Access to internet from FW

Do you have a public IP address you can assign to the firewall?

If so, maybe a NAT rule is in order.

Something like:

  • Original
    • Source: Firewall object (assuming it is the 1.1.1.1 IP)
    • Destination: Any
    • Service: Any
  • Translated:
    • Source: Host object with public IP
    • Destination: Original
    • Service: Original
0 Kudos
Jerry
Gold

Re: Access to internet from FW

you simply need to configure BGP by GAiA clish/webUI and allow certain traffic to get routed out from the host (cp) itself.

that isn't too complicated isn't it? route reflection on isp bgp peer? have you got as number properly set on CP host?

if you need to access certain fqdn's from the cp shell you also need name resolution (dns) to be configured accordingly with the CP as well as the ntp (bgp dependant).

that's it

Jerry