This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mitesh
Participant
2 weeks ago

Routing Issue

Hi Team,

We are facing routing issue, need your suggestion.

In our environment we are running two CP Cluster 9100 & 3800. Cluster 9100 is used for Internet Traffic & Cluster 3800 is used for IPSec Tunnel Traffic. Both Clusters Gateway intefaces directly connected to DMZ switch.

In DMZ Servers existing gateway ip is 192.168.1.1, which is mentioned in Cluster 9100.

how Remote Office Network traffic which is coming via IPSec Tunnel, can access the DMZ Servers.

What kind of config (routing) we need to perform?

Architecture diagram attached.

Preview file
21 KB
0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago

You may need to look at performing NAT rather than routing depending on the different traffic flows that need to work.

CCSM R77/R80/ELITE
Martijn
Advisor
Advisor
2 weeks ago

Hi,

You have two options.

Configure a static route on the DMZ servers to 192.168.10.0/24 via 192.168.1.6.

Or as @Chris_Atkinson mentions, configure a NAT rule on the 3800 cluster to hide source 192.168.10.0/24 behind 192.168.1.6.
This NAT only works for traffic initiated from 192.168.10.0/24. If the DMZ servers initiate traffic to 192.168.10.0/24, you need static destination NAT.

Martijn

Mitesh
Participant
2 weeks ago
In response to Martijn

@Martijn 

If the DMZ Servers initate the traffic, than traffic will forward to 9100 Cluster reason 9100 cluster IP is mentioned as a gateway IP in the DMZ Servers.

In this case what will be the configuration we need to perform in 9100 cluster & 3800 cluster.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to Mitesh

The routing change needs to happen at the servers. Alternatively, remove the link to the 3800 cluster from the server LAN and instead connect it to the 9100s on another subnet, so that everything routes via the 9100s.

0 Kudos
Martijn
Advisor
Advisor
2 weeks ago
In response to Mitesh

If the DMZ servers need to initiate traffic to 192.168.10.0/24, the simple solution is to add a static route on the DMZ servers. This will route the traffic to 192.168.10.0/24 via the 3800 cluster and the internet traffic to the 9100 cluster. This requires no changes on the 9100 or 3800 cluster.

If changing the route on the DMZ servers is not an option or not possible the solution @emmap suggests is a good one. But this requites changes on the 9100 and 3800 cluster in terms of routes and interfaces.

You could go with static (one-on-one) NAT on the 3800 cluster if only a few IP-addresses in the 192.168.10.0/24 subnet should be reached by the DMZ servers. For example:

The DMZ servers need to connect to 192.168.10.10 on the remote location. You can create a NAT rule on the 3800 where destination  192.168.1.10 is NAT-ed to 192.168.10.10. You have to do this for every IP in 192.168.10.0/24 that servers need to connect to (if they initiate the traffic).

This makes it more complex. You need to take care of proxy ARP and it also depends on the application on the server. If the application is programmed to connect to a 192.168.10.x IP, this needs to be changed to a 192.168.1.x IP.

So the most simple option is to add that static route on the DMZ servers.

0 Kudos
Mitesh
Participant
a week ago
In response to Martijn

Thanks @Martijn , we have put up the solution in fornt of the managment, waiting for their approval.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago

I totally agree with the guys, those suggestions make perfect sense.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events