This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KandarpDesai
Contributor
‎2019-04-19 12:08 PM
Jump to solution

Port forwarding to internal IP connected to other firewall.

Hi Guys,

I need help with one scenario but it isn't working somehow. I want to make a rule to port forward a public IP to internal server. The issue is the internal server is connected to Lan zone of another firewall. Checkpoint and the other firewall are connected. (Checkpoint is the perimeter firewall and other one is internal firewall)

Comnection is as follows:
Checkpoint External interfc:Public IP
Checkpoint Internal interfce: 10.10.10.1
Other firewall External interfce:10.10.10.2
Other firewall internal intrfce:192.168.1.1

I want to Port forward from public IP to the 192.168.1.1. The only manual nat rule in Checkpoint is as follows
Og source:Any
Og destin:Public IP
Og service:Any
Trans source: Og
Trans destn: 10.10.10.2
Trans service:Any

On the other firewall rule there is a Port forward from 10.10.10.2 to 192.168.1.1

Am i missing something here. Should this work idealy?

0 Kudos
2 Solutions

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2019-04-19 01:35 PM
Jump to solution

Ideally you would only NAT once, add a route for the 192.168.1.0 network to 10.10.10.2 and doe th nat on the external FW to 192.168.1.1

That being said, when you forward something to the internal IP of the other FW, this will probably not really work well as it might respond with it's external IP.
Regards, Maarten

View solution in original post

PhoneBoy
Admin
Admin
‎2019-04-20 04:34 AM
Jump to solution

Why are you creating the NAT to forward to the other firewall?
Shouldn't the NAT forward the traffic to the actual IP of the server?
In which case, you need to make sure the Check Point gateways knows how to reach that IP, which would be done with routes.
Further, the internal firewall would have to be configured to allow this traffic and there would have to be routes to allow the traffic in the reverse direction.

View solution in original post

4 Replies
KandarpDesai
Contributor
‎2019-04-19 12:47 PM
Jump to solution

Just some more info: We are able to access the 192.168.1.0/ network from CP and vice versa.
Also 192.168.1.0/ is able to access internet through CP gateway.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-19 01:35 PM
Jump to solution

Ideally you would only NAT once, add a route for the 192.168.1.0 network to 10.10.10.2 and doe th nat on the external FW to 192.168.1.1

That being said, when you forward something to the internal IP of the other FW, this will probably not really work well as it might respond with it's external IP.
Regards, Maarten
KandarpDesai
Contributor
‎2019-04-19 10:16 PM
In response to Maarten_Sjouw
Jump to solution

Hi,

I tried this but no luck yet.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-20 04:34 AM
Jump to solution

Why are you creating the NAT to forward to the other firewall?
Shouldn't the NAT forward the traffic to the actual IP of the server?
In which case, you need to make sure the Check Point gateways knows how to reach that IP, which would be done with routes.
Further, the internal firewall would have to be configured to allow this traffic and there would have to be routes to allow the traffic in the reverse direction.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events