- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Bridge a External IP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bridge a External IP
Hi,
I have a little complex problem in my big network, I'll try to be specify...
We have a client setting on a modem in a private APN network, this will then connect to a FW on our APN site using VPN before we will connect to our private FW (Checkpoint).
Client (10.250.1.200) -> Modem -> (APN -> VPN(192.168.0.0/16)) -> FW (APN) -> FW (Internal).
The problem, the client need to access a external IP on the Internet, but the APN network doesn't have Internet, so all request will just die/drop, so It need to go though the VPN. The FW (Internal) will have this Internet access, but I can't relay this traffic to this FW with the external IP, so I was thinking to use a internal IP, lets say 192.168.1.100. So the client will pretend to call 192.168.1.100 instead, I see the traffic all the way to the FW(Internal), but here is where the problem start, how do I translate this 192.168.1.100 to External IP and NAT the Client IP with the FW(internal) WAN ip, so I think we are talking about double NAT, I have try everything, but I can't make it to work.
So basic, my client (10.250.1.200) needs to talk with the external IP on port 9000, this need to go though a modem, vpn, fw, fw and then out to the Internet.
I have locally client already on the the FW(Internal) that access the external IP, so we can mess up the external ip to much so it will not work locally anymore!
Anyone have a bright idea , or have I make this to complicate?
/Steen
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Nothing will work, so I try something else, and now is working fine.
I did a Host object with the 8.8.8.8 and no NAT.
Then a NAT rule on the incoming FW (internal) cluster interface instead of a virtual IP.
NAT rule OrgSrc(10.250.1.200) - OrgDst(FW Internal cluster IP) - OrgService(9000) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S)
so now it is running, many hours later:)
/Steen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What specifically have you tried to do?
A standard NAT rule should work here, though it might need to be manual and include configuring a proxy ARP for 192.168.1.100 on the internal FW.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Okay lets say for fun I need to access 8.8.8.8:9000.
I have a working NAT rule for client localy on the FW(internal)
NAT rule: OrgSrc(Grp_Client) - OrgDst(8.8.8.8) - TranSrc(0.0.0.0 H)
For the new solution, I pick out a IP(free) from a existent subnet on my FW(internal), right or wrong I don't know.
NAT rule OrgSrc(10.250.1.200) - OrgDst(192.168.1.100) - TranDst(8.8.8.8 S) - Not working
NAT rule OrgSrc(10.250.1.200) - OrgDst(192.168.1.100) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S) - Not working
Proxy Arp is new for me, where do I make that configuration?
/Steen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The procedure for configuring manual proxy arp is here: https://support.checkpoint.com/results/sk/sk30197
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You think you know NAT but every time you are surprise...:)
I read some other case you have answer, you said that if I use auto NAT on a host, the NAT arp will also be automatic.
First, what is the right way to create a host in CP, is that:
1. Address 8.8.8.8 and NAT 192.168.1.100 (Hide or static?)
2. Address 192.168.1.100 and NAT 8.8.8.8 (Hide or static?)
Also is it right to pick a address from another subnet on the Internal FW, that is already in use, if we say that:
8.8.8.8 in on eth1
192.168.1.100 on eth 2
10.250.1.200 arrive on eth 3
Im stuck, so any help is greatly appreciated.
/Steen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your host object should be created in terms of the “real” IP (without NAT).
More specifically the real IP (8.8.8.8 in your example) will be the main object IP.
Proxy ARP is only needed when the translated IP (192.168.1.100 in your example) is on the same subnet as your gateway.
Otherwise you can use any unused subnet provided the gateway is the “default route” for the traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Nothing will work, so I try something else, and now is working fine.
I did a Host object with the 8.8.8.8 and no NAT.
Then a NAT rule on the incoming FW (internal) cluster interface instead of a virtual IP.
NAT rule OrgSrc(10.250.1.200) - OrgDst(FW Internal cluster IP) - OrgService(9000) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S)
so now it is running, many hours later:)
/Steen