This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Satto
Participant
Thursday
Jump to solution

Bridge a External IP

Hi,

 

I have a little complex problem in my big network, I'll try to be specify...

 

We have a client setting on a modem in a private APN network, this will then connect to a FW on our APN site using VPN before we will connect to our private FW (Checkpoint).

Client (10.250.1.200) -> Modem -> (APN -> VPN(192.168.0.0/16)) -> FW (APN) -> FW (Internal).

The problem, the client need to access a external IP on the Internet, but the APN network doesn't have Internet, so all request will just die/drop, so It need to go though the VPN. The FW (Internal) will have this Internet access, but I can't relay this traffic to this FW with the external IP, so I was thinking to use a internal IP, lets say 192.168.1.100. So the client will pretend to call 192.168.1.100 instead, I see the traffic all the way to the FW(Internal), but here is where the problem start, how do I translate this 192.168.1.100 to External IP and NAT the Client IP with the FW(internal) WAN ip, so I think we are talking about double NAT, I have try everything, but I can't make it to work.

 

So basic, my client (10.250.1.200) needs to talk with the external IP on port 9000, this need to go though a modem, vpn, fw, fw and then out to the Internet.

I have locally client already on the the FW(Internal) that access the external IP, so we can mess up the external ip to much so it will not work locally anymore!

Anyone have a bright idea , or have I make this to complicate?

 

/Steen

0 Kudos
1 Solution

Accepted Solutions
Satto
Participant
yesterday
In response to PhoneBoy
Jump to solution

Hi,

Nothing will work, so I try something else, and now is working fine.

I did a Host object with the 8.8.8.8 and no NAT.

Then a NAT rule on the incoming FW (internal) cluster interface instead of a virtual IP.

NAT rule OrgSrc(10.250.1.200) - OrgDst(FW Internal cluster IP) - OrgService(9000) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S) 

so now it is running, many hours later:)

/Steen

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
Thursday
Jump to solution

What specifically have you tried to do?
A standard NAT rule should work here, though it might need to be manual and include configuring a proxy ARP for 192.168.1.100 on the internal FW.

0 Kudos
Satto
Participant
Thursday
In response to PhoneBoy
Jump to solution

Hi,

 

Okay lets say for fun I need to access 8.8.8.8:9000.

 

I have a working NAT rule for client localy on the FW(internal)

NAT rule: OrgSrc(Grp_Client) - OrgDst(8.8.8.8) - TranSrc(0.0.0.0 H)

For the new solution, I pick out a IP(free) from a existent subnet on my FW(internal), right or wrong I don't know.

NAT rule OrgSrc(10.250.1.200) - OrgDst(192.168.1.100) - TranDst(8.8.8.8 S) - Not working

NAT rule OrgSrc(10.250.1.200) - OrgDst(192.168.1.100) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S) - Not working

 

Proxy Arp is new for me, where do I make that configuration?

 

/Steen

0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to Satto
Jump to solution

The procedure for configuring manual proxy arp is here: https://support.checkpoint.com/results/sk/sk30197

Satto
Participant
Monday
In response to PhoneBoy
Jump to solution

Hi,

You think you know NAT but every time you are surprise...:)

 

I read some other case you have answer, you said that if I use auto NAT on a host, the NAT arp will also be automatic.

First, what is the right way to create a host in CP, is that:

1. Address 8.8.8.8 and NAT 192.168.1.100 (Hide or static?)

2. Address 192.168.1.100 and NAT 8.8.8.8 (Hide or static?)

Also is it right to pick a address from another subnet on the Internal FW, that is already in use, if we say that:

8.8.8.8 in on eth1

192.168.1.100 on eth 2

10.250.1.200 arrive on eth 3

Im stuck, so any help is greatly appreciated.

/Steen

0 Kudos
PhoneBoy
Admin
Admin
Monday
In response to Satto
Jump to solution

Your host object should be created in terms of the “real” IP (without NAT).
More specifically the real IP (8.8.8.8 in your example) will be the main object IP.
Proxy ARP is only needed when the translated IP (192.168.1.100 in your example) is on the same subnet as your gateway.
Otherwise you can use any unused subnet provided the gateway is the “default route” for the traffic.

0 Kudos
Satto
Participant
yesterday
In response to PhoneBoy
Jump to solution

Hi,

Nothing will work, so I try something else, and now is working fine.

I did a Host object with the 8.8.8.8 and no NAT.

Then a NAT rule on the incoming FW (internal) cluster interface instead of a virtual IP.

NAT rule OrgSrc(10.250.1.200) - OrgDst(FW Internal cluster IP) - OrgService(9000) - TranSrc(0.0.0.0 H) - TranDst(8.8.8.8 S) 

so now it is running, many hours later:)

/Steen

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events