Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TerryRodecker
Explorer

Change to Existing NAT Configuration

We have what I would consider to be a fairly standard firewall configuration.  We have a firewall that connects to a vendor.  The firewall is a 3200 running R80.10.  The inside address of the firewall is 10.1.1.1/24 (for example) and the outside IP Address of the firewall is 10.34.1.1/28 (again,  for example) and leads to the vendor's router interface (10.34.1.2).   We NAT traffic from an internal host (10.1.1.8) to a host that's accessed via the firewall (192.168.1.1 for example).  It's an automatic NAT configuration with the NAT being configured in the firewall object.  The NAT for that object is 10.34.1.10.

The vendor is needing to replace their routers and in doing so,  they want to change the IP Addresses of the interfaces that lead to us.  They want to change the 10.34.1.X subnet to a 10.35.1.X/24 subnet but they want to keep the NAT configuration the same.  They want us to continue to NAT the 10.1.1.8 host to the 10.34.1.10 address and send it through the firewall to the 10.35.1.X interface.  Because of ARP issues,  I'm not certain how we would NAT to a subnet that doesn't exist on the firewall.   We do that with Cisco ASAs when configuring a VPN connection but that's completely and totally virtual so ARP doesn't necessarily come into play.

To hopefully make this a bit more clear,  here's an ascii render of what we're being asked to do;

Current

Server (10.1.1.8) -> (FW inside - 10.1.1.1) - (NAT source address to 10.34.1.10) - (FW outside - 10.34.1.1) -> Vendor Router (10.34.1.2)

Requested

Server (10.1.1.8) -> (FW inside - 10.1.1.1) - (NAT source address to 10.34.1.10) - (FW outside - 10.35.1.1) -> Vendor Router (10.35.1.2)

With the source IP addresses being NATed from an IP Address that isn't on the interface talking to the vendor's router, how would we configure the NAT?  Would we just leave it as automatic and change the IP Addresses of the outside interface of the firewall (changing the static route to the vendor's host at the same time)?

Thanks!

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Your diagram makes it look like there are TWO firewalls here.
If there is only one firewall, then there is nothing you need to do short of making sure the vendor router sends 10.34.1.10 to your gateway.
That assumes you haven't disabled "translate destination on client side" in the Global Properties.
0 Kudos
TerryRodecker
Explorer

Sorry,  should have put the word "interface" in there to make it more clear.  It's a single firewall with an inside and an outside interface.

I appreciate the info.  We've got a ticket open with Checkpoint but haven't heard anything back so I thought I'd delve into the forums for some assistance.   In the environments we're used to,  the NAT has to take place on an interface with that IP Address on it,  even if it's a secondary IP Address,  so that ARP is satisfied.   The only instance that we've worked on where it didn't need to be done that way was on a site 2 site VPN with Cisco ASAs.  Since the VPN connection itself is virtual (and doesn't need ARP), we could NAT the traffic after it hit the ASA but before it entered the tunnel, and not have any issues.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events