Hi,

The ISP route to the CGNAT IP on the customer side a /29 Public Network with Internet access. I'm able to NAT traffic transversing my Cluster behind those IPs, but I'm not able to NAT self generated traffic on my gateways, since the VIP of the external interface is the CGNAT IP on customer side. I feel that I'm stuck with the sh**ty router. 

I hear ya, sorry brother...its sadly catch 22 situation.

Andy

Great idea @AkosBakos 

Thanks, this (proxy) saved my life last time 🙂

Hi, 

That have crossed my mind. However, one of the purposes for this new cluster is to remove from the network an old machine running an old version of Squid. I kinda feel a little bit stupid asking the customer to keep the Squid so the Firewalls can have Internet to keep the services up to date and to connect to the Smart-1 Cloud. 

This is really a catch 22. Install a Cloudguard GW for proxy 🙂

Well, I think whole issue here is how to get an actual IP that can connect to an external world...

Yep, that is the issue.

Regards

Since Im not even 5% genius compared to @AkosBakos and @PhoneBoy , lets see if they have any other ideas. Im just giving my suggestions based on what you are providing here. To me, again, just based on pure logic, unless there is a way to get NAT working to get the routable IP, not sure what else can be done...

Andy

Yup, that's it. I'm also out of ideas now. 🙂

Regards

Dont lose hope, Im hopeful someone will have a "light bulb moment" 🙂

Andy

Hi,

When we use the router in place we use a network(192.168.255.0/24) dedicated to connect the router to the Firewalls. The router is the 192.168.255.1 and we have the .251 on FW1, .252 on FW2 and the .254 on the Custer IP VIP.

When we don't have the router, we need to use the CGNAT network to connect to the ISP, which is a /30 network. So, we use a "dummy" network for the physical IPs on the gateways and the IP on the CGNAT network as the Cluster IP, with the proper link local route to have connectivity with the ISP.

And yes, the router is doing NAT when it is in place. The problem is that the CGNAT network does not have Internet, so when we configure that network directly on the Cluster, the Firewalls don't have access to the Internet, since all the traffic generated by the gateways are NATed behind the Cluster IP of the External Interface.

Kind regards

I assume the /30 is on the far side of the router.
That means you only have one valid IP address (assuming the other end is your ISP Default Route).
That means you need to need to use that other IP for your Cluster IP using something like: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content... 

Note that only the active cluster member will be able to reach the Internet directly with this configuration.

Hi,

Sorry, maybe I was not clear. I'm aware of the feature "Cluster IP Addresses on Different Subnets", in fact I've used to configure the /30 on my side. The problem is that the /30 CGNAT network don't have access to the Internet. So, the cluster IP don't have access to the Internet. And that is my issue. The ISP routes a /29 public network to the customer side through the /30, but as far as I know, I cannot NAT the self generated traffic behind that routed network. 

Regards

> but as far as I know, I cannot NAT the self generated traffic behind that routed network. 

Actually you can but cluster hide/fold which is enabled by default will interfere with your attempts to do so with a rule 0 NAT that takes precedence: sk34180: Outgoing connections from cluster members are sent with cluster Virtual IP address instead ...

So you'll need to disable cluster hide/fold.  This will cause the two members to use their dedicated/fixed CGNAT addresses to initiate connections to the Internet.  Now you need to add two manual NAT rules at the top like this, making sure that ExternalZone is properly associated with the outside interface:

CGNAT Member 1 Ext CGNAT IP        ExternalZone    Original       /29_Addr_1 (Hide)     Original     Original     Member1

CGNAT Member 2 Ext CGNAT IP        ExternalZone    Original       /29_Addr_2 (Hide)     Original     Original     Member2

It is possible to NAT firewall-initiated traffic because source NAT happens on the server side between o and O.  It is not possible to NAT the destination IP of firewall-initiated traffic as that happens on client side between i and I.  You might be able to get away with using a single /29 Internet-routable address for both members as the hide but try using two separate ones first.

Hi Timothy,

I had a kind of supect that something like that was possible to do. It's Check Point, so everything is possible :D. And it seems at least a possibility to proceed.

I just have a little problem scratching my head with that solution. My Management is a Smart-1 Cloud. So, when I make those changes and push the policy to the gateway. Don't you think that I can have a little problem in the middle of the Installation. Do you think that the install will go until de end? Or it will fail because somewhere it that install it will loose access to the Internet?

Kind Regards.

In the case of Smart-1 Cloud those two NATs should probably static rather than hide so the Smart-1 Cloud can initiate to the gateways.  But yes, you may run into a situation where these NATs will interfere with management coming in from the Internet as opposed to the inside when you first install policy.  If the traffic is dropped inappropriately by your policy a fw unloadlocal will not help since that will kill the NATting you are relying on too.  Also control connections between the SMS and gateways sometimes seem to have their own rule 0 NATs that may interfere as well.  Sounds like you need to schedule a nice long maintenance window to give it a shot and see what happens.

Hi,

Yep, I will need to check and see. It will be one of those situations that I will only know if it works, if it works when I try.  I will need to propose that to my customer and see what happens.

Anyway, many thanks for your input with the cluster hide/fold tip. I will try and let everyone knows the answer.

Kind regards.