Re: Static NATs for overlapping subnets

phlrnnr · ‎2019-01-18

When organizations merge, there are often requirements for connecting the networks of the different businesses when they still have overlapping RFC1918 IP space. Is there a way on a single Check Point firewall/cluster to provide the NAT for both directions between organizations when the address space overlaps?

Take for example:

SiteA/Server 1 = 10.1.1.1 static NAT to 172.16.1.1

SiteB/Server 1 = 10.1.1.1 static NAT to 172.17.1.1

Assumptions:

All servers at SiteA are statically source NAT'd to something in 172.16.1.0/24
All servers at SiteB are statically source NAT'd to something in 172.17.1.0/24

Can a single firewall handle the NATs in both directions if SiteA/Server1 had to communicate with SiteB/Server 1?

In theory, A1 would send a request from 10.1.1.1 -> 172.17.1.1. The FW would NAT the source to 172.16.1.1 and the destination to 10.1.1.1. B1 would receive the packet and reply 10.1.1.1 -> 172.16.1.1. The FW would NAT the source to 172.17.1.1 and the destination to 10.1.1.1.

I realize this would cause trouble for Anti-spoofing, but would it work?. Are the manual NAT rules flexible enough to handle this scenario? Is the real killer going to be routing since the 10.1.1.x network exists on both sides? If only the FW could NAT/route based on traffic direction and/or interface zone.

Thanks for mulling this over with me.

Kaspars_Zibarts · ‎2019-01-18

You answered yourself - can you really have routing to 10.1.1.1 on "both" sides? Not really. You would need two routers/firewalls with intermediate network that can hide two identical networks to allow this. We have it deployed between lab that fully replicates production and real production.

In nutshell, you can't really send the same IP address in two different directions

phlrnnr · ‎2019-01-21

Thanks for clarifying what I was already thinking. My brain started going down this road after reading this document that shows how this can be done on a Cisco router (See the second example that does NOT use DNS, but static NATs). I was hoping we may be able to get away with doing something similar on the Checkpoint.

Kaspars_Zibarts · ‎2019-01-21

Indeed, we have implemented this Cisco solution in our network too where Cisco router adjusts DNS replies. It really depends on requirements and expected volumes of overlap. There are some tricks you could do but all depends on actual requirements. Cisco is certainly step ahead here

Maarten_Sjouw · ‎2019-01-21

In these type of cases you could think outside the box and setup a VS on the same FW, Problem here is that you will need to rebuild the gateway/cluster. But it will give you the advantage that you will have 2 gateways each to handle a side of the network. The appliance licenses comes with a license for 1 VS by default.

We did this lately for a customer that has a cluster where we needed to split the traffic from internal with only IPS checks an external with all NGTP checks. We achieved it by running the VS as the internal gateway on GW2 and the actual GW1 as the external gateway. giving it a load sharing option at the same time.

is on

In your case you could set it up so the connection between the actual GW and the VS is used to communicate with the 172 addresses only, so NAT is done on the side the conflicting network.

Regards, Maarten

Kaspars_Zibarts · ‎2019-01-21

The only issue with 2 gateways (we have that for lab environment connecting back to prod with same IPs) you won't be able to use same DNS, it will be fairly static environment. I somewhat like Cisco DNS reply adjustments better

Dre187 · ‎2022-10-28

Phil we are trying to solve this same issue. Have you looked at this link?

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

G_W_Albrecht · ‎2022-10-31

Are you aware of the fact that all these posts are from soon 4 years ago ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Static NATs for overlapping subnets