This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dkurochkin
Participant
‎2021-03-03 01:09 PM

Natting IP address for not DC network

check_56_58.pnghello

Need natting at fw-1 some hosts which is in aubnet connected to fw-2

we have ClusterXL 5800 gw and some direct connection networks for him and NAT realized here

so
we have ClusterXL 5600 gw and want to realized NAT here for all networks behind clusterXL 5800 (do it for more secure ;0)

 

cXL 5800 conected with cXL 5600 by 172.19.19.0/29 network

and cXL 5600 have route to networks behind clusterXL 5800

when, for example, at 5600 ping 10.150.50.10 - success, when ping hpe.com - success
thus 5600 have conncect for internal and external networks


# 10.150.50.10 -> 193.100.200.74 (web server)

so
do auto NAT 10.150.50.10 -> 193.100.200.74 for cXL 5800 (only) - and check it

All ok, its works

so
do auto NAT 10.150.50.10 -> 193.100.200.74 for cXL 5600 (only) - and check it

when I try to connect 193.100.200.74 (web server) at external - not worked, not connect. I saw by logs,(by SMS) how NAT rule worked at cXL 5600, but to ended destination didnt get it

 

how to do it ?
how to get autoNat for 5600 and get answer for 193.100.200.74 (web server) ?

thx

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-03-05 05:22 PM

The only thing that's clear is that you have a subnet (10.150.50.0/24) behind a 5800.
From your 5800, there is a line that forks in two directions:

  • A line that goes to the 5600 (presumably the 172.19.19/0 subnet)
  • A line that goes straight to the "noname border gateway."

What is the precise connectivity here?
Is this a single interface with two IPs (only way this can logically work)?
Is this two different interfaces?
Are the 5600, 5800, and the noname border gateway actually connected to the same physical switch and on the same logical network?
Please clarify this situation.

If only your 5600 is on the same subnet as the noname border gateway then it must ultimately do the NAT between private and public address space.
The 5800 cannot do that in this case.

0 Kudos
dkurochkin
Participant
‎2021-03-08 09:45 AM
In response to PhoneBoy

I'm so sorry gor my bad draw

of course 5800 have more than 1 interface

for example, bond1.3070 - for 5600, and bond1.3089 for noname router


how it work now:
internal network by 5800, natting by 5800 and go to internet by 5800 trough noname border router

 

what i want:
internal network by 5800, natting by 5600 and go to internet by 5600 trough noname border router, at 5800 remove interface bond1.3089 for noname router

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-08 11:16 AM
In response to dkurochkin

I don’t see why that wouldn’t work provided you:

  • Change the default route on the 5800 to point to the 5600.
  • Actually remove the VLAN (not just disable it) for the no name router from the 5800.
  • Configure NAT only on the 5600, not the 5800.

If it’s not working, I’d run tcpdump on the 5800 and 5600 to see that the traffic is being routed out the correct interface and the NAT is happening at the right place.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events