When organizations merge, there are often requirements for connecting the networks of the different businesses when they still have overlapping RFC1918 IP space. Is there a way on a single Check Point firewall/cluster to provide the NAT for both directions between organizations when the address space overlaps?
Take for example:
SiteA/Server 1 = 10.1.1.1 static NAT to 172.16.1.1
SiteB/Server 1 = 10.1.1.1 static NAT to 172.17.1.1
Assumptions:
- All servers at SiteA are statically source NAT'd to something in 172.16.1.0/24
- All servers at SiteB are statically source NAT'd to something in 172.17.1.0/24
Can a single firewall handle the NATs in both directions if SiteA/Server1 had to communicate with SiteB/Server 1?
In theory, A1 would send a request from 10.1.1.1 -> 172.17.1.1. The FW would NAT the source to 172.16.1.1 and the destination to 10.1.1.1. B1 would receive the packet and reply 10.1.1.1 -> 172.16.1.1. The FW would NAT the source to 172.17.1.1 and the destination to 10.1.1.1.
I realize this would cause trouble for Anti-spoofing, but would it work?. Are the manual NAT rules flexible enough to handle this scenario? Is the real killer going to be routing since the 10.1.1.x network exists on both sides? If only the FW could NAT/route based on traffic direction and/or interface zone.
Thanks for mulling this over with me.