This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Miguel_Garcia
Contributor
‎2018-05-29 06:35 AM
Jump to solution

How to add two IP in one interface

Hi everybody,

I have a problem from the last 3 weeks that I cannot resolve. I want to configure a NAT rule to redirect all IPSec traffic from a external device to my internal device (it is not a CP device).

The problem is that I have configured a NAT rule and PING packets arrives correctly to internal device (NAT configuration works). When IPSec is sended instead of PING traffic the CheckPoint device does not redirect the packets (but I can see them with arriving to CP device). So it seems CheckPoint catch all IPSec traffic.

Is it possible to redirect IPSec traffic in a CP device? How can I do that? I have a r80.10 in clusterXL (I think IP aliases are not allowed in clusterXL..).

Thanks beforehand,

Mike.

1 Solution

Accepted Solutions
Vincent_Bacher
Advisor
Advisor
‎2018-05-30 05:31 AM
Jump to solution

Maybe i don't understand your initial issue.

As i understood, you want to establish a VPN between an external VPN Gateway and an internal device.
So we suggested to use a unused external IP address which is not configured as physical node IP nor as cluster IP on the checkpoint. This is to avoid the checkpoint assuming that received IKE/IPSec packets are directed at the checkpoint device.
If i am right with my assumption about your ycenario then you

first create a host object using the unused external IP, lets call it host-nat. Original object is called host.
So you create a static nat rule like this
Original Source: any
Original Destination: host-nat
Original Service: any

Translated Source: Original

Translated Destination: host (static)
Translated Services: original
Install on: <policy target>
Next you configure a rule from any (or internal net/Group negated) to host-nat Service IKE/IPSec and from host to any (instead of any, you may as well use an object representing the external vpn device) next you configure the mentioned proxy arp at gaia level.

If i am wrong or something missing, any CheckMate may correct me, it's long ago i really configured that last time Smiley Happy

best regards

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

23 Replies
Bence_Jakli
Participant
‎2018-05-29 06:52 AM
Jump to solution

Hi Mike,

Why don't you use NAT traversal?

Even if you successfully manage to NAT the traffic to the "inside" VPN device, without NAT traversal I think you will have issues because of the phase 1 ID mismatch.

Regards,

Bence

0 Kudos
Miguel_Garcia
Contributor
‎2018-05-29 07:09 AM
In response to Bence_Jakli
Jump to solution

Hi Bence,
first of all thanks for your answer. Internal device is a FortiGate device and I have the Nat Transversal option marked (I see UDP packets).

Regards,

Mike.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-05-29 07:17 AM
In response to Miguel_Garcia
Jump to solution

I would let TAC resolve this, looks like too many unknowns are involved here.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-29 07:20 AM
In response to G_W_Albrecht
Jump to solution

Yes, I have a ticket opened with CheckPoint but in this three last weeks they don't give me any solution. May some user know somwthing..

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-05-29 07:33 AM
In response to Miguel_Garcia
Jump to solution

I beg your pardon, but i can not imagine that, with so few information given, anyone could provide help 😞

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-29 07:36 AM
In response to G_W_Albrecht
Jump to solution

I think you don't need extra information to answer this: How to configure NAT rule to redirect IPSec traffic in r80.10. ClusterXL.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-05-29 07:58 AM
Jump to solution

Configure an unused static NAT using a different external IP than physical IP addresses of cluster nodes or cluster IP. Then the CP should not catch the IKE/IPSec traffic.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-29 08:13 AM
In response to Vincent_Bacher
Jump to solution

Hi Vincent,

thanks for your answer. I think this is the right solution but, How can use a different external IP? I mean, the rest of IPs of the IP pool don't response and IP aliasing (to add multiple IP to the same interface) is not allowed in clusterXL.

Thanks,

Mike.

0 Kudos
AlekseiShelepov
Advisor
‎2018-05-30 12:21 AM
In response to Miguel_Garcia
Jump to solution

This is the right place to use Proxy ARP on the external interface.

Configuring Proxy ARP for Manual NAT 

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-05-29 08:29 AM
Jump to solution

Hi Miguel,

not an IP which is configured at an Interface, just a "normal" IP used in Network object for static NAT.

And if needed,proxy arp in gaia

best regards

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-30 04:50 AM
In response to Vincent_Bacher
Jump to solution

Hi Vincent,

thanks for your answer. I tried it but it didn't work. Currently my ClusterXL has 3 IP addresses: one for VIP and two for cluster members. CP device only reply traffic where it destination is one of these three IP addresses, so I have to configure CP to attend another public IP too.

Thanks,

Mike.

0 Kudos
Charris_Lappas
Collaborator
‎2018-05-29 11:02 AM
Jump to solution

Hi Miguel,

If I understand correctly you  have a device behind your FW that you want to terminate IPsec.

a) Your FW external interface needs to get the request destined for the device behind it (Another IP address, i.e IP2.

b) As suggested by Vincent configuring proxy arp, you FW will pickup those requests for IP2.

c) Create an object for this external IP (IP2)

d) Create a rule destined for this external IP (IP2) to allow IPsec traffic

e) On the object of your internal device (Fortigate), on NAT create a Static NAT with the IP of the external Interface (IP2).

Thanks,

Charris Lappas

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-05-29 11:30 AM
In response to Charris_Lappas
Jump to solution

OK my explanation was bit short, sorry

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-30 04:58 AM
In response to Charris_Lappas
Jump to solution

Hi Charris,

first of all thanks for your answer. I think proxy arp is not needed in my environment because traffic will be dispatched to the public IP of my CheckPoint. Internal device has only private addresses.

I have to configure CP to attend another public IP because the device doesn't redirect IPSec traffic if it is dispatched to current IPs.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-05-30 05:05 AM
In response to Miguel_Garcia
Jump to solution

Hello Miguel,

maybe you misunderstood me and Charris.
Regarding Proxy Arp.

When a packet arrives at your next hop (your Internet router), the router first sends an arp request to its Interface wich it choses by its Routing table. This arp request, asking for a mac address of the destination IP of the arriving packet is received by the Checkpoint.
Unless it's not done automatically, the proxy arp setting tells the Checkpoint to Reply to the arp request by sending the mac of the configured Interface.
Then the router receives this reply, adds the CP to his arp table and sends out the packet to the Checkpoint Interface.
Now the Checkpoint begins sending the packet through its chain.

best regards

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-30 05:16 AM
In response to Vincent_Bacher
Jump to solution

Hi Vincent,

thanks again for your answer. I think I understand it. Proxy arp is to reply arp request with your mac when arp request is not requesting for your ip. Packets are dispatched to CheckPoint address, not to internal device, so CP doesn't have to be configured proxy arp because IP destination is the CheckPoint address, not internal device address.

Is that correct? If not, I am misunderstanding you.

Thanks,

Miguel.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-05-30 05:31 AM
Jump to solution

Maybe i don't understand your initial issue.

As i understood, you want to establish a VPN between an external VPN Gateway and an internal device.
So we suggested to use a unused external IP address which is not configured as physical node IP nor as cluster IP on the checkpoint. This is to avoid the checkpoint assuming that received IKE/IPSec packets are directed at the checkpoint device.
If i am right with my assumption about your ycenario then you

first create a host object using the unused external IP, lets call it host-nat. Original object is called host.
So you create a static nat rule like this
Original Source: any
Original Destination: host-nat
Original Service: any

Translated Source: Original

Translated Destination: host (static)
Translated Services: original
Install on: <policy target>
Next you configure a rule from any (or internal net/Group negated) to host-nat Service IKE/IPSec and from host to any (instead of any, you may as well use an object representing the external vpn device) next you configure the mentioned proxy arp at gaia level.

If i am wrong or something missing, any CheckMate may correct me, it's long ago i really configured that last time Smiley Happy

best regards

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Miguel_Garcia
Contributor
‎2018-05-30 07:49 AM
In response to Vincent_Bacher
Jump to solution

My configuration (and my issue) is what you explain but I didn't configure any proxy arp because, as you say, traffic is dispatched to CheckPoint (host-nat), not to host. It means router is asking for the host-nat's MAC, not for the mac of the internal device.


Up to this point NAT rule and security policies are configured, but I don't know why CP is going to catch packets with a different IP than IPs it has configures. Should it?

Thanks,

Miguel.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-05-30 07:59 AM
In response to Miguel_Garcia
Jump to solution

as the ip host-nat is just an Network object (host), you have to add Proxy arp leading to the external Interface of the checkpoint

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Miguel_Garcia
Contributor
‎2018-05-31 03:31 AM
In response to Vincent_Bacher
Jump to solution

Hi Vincent,

you are right. I read about proxy arp but with a different point of view and I got confused with that. This solution solve my problem!

Thanks for your help:)

Regards.

0 Kudos
Houssameddine_1
Collaborator
‎2018-05-30 11:25 AM
Jump to solution

if I understand correctly, the topology is as the following  

Fortigate----------Checkpoint GW------------Internet --------------peer

You want to build the tunnel between Fortigate and the peer through checkpoint firewall. The first question is IPSEC blade enabled on checkpoint firewall (if yes, you need another public IP to terminate the tunnel on because checkpoint firewall is listening on ports udp 500 and udp4500, it is expecting to form vpn) in this scenario you need to get another public IP and statically NAT the Fortigate firewall behind it.

If IPsec blade not enabled on checkpoint firewall you might create manual NAT rules for the ports udp 500, 4500 to forward them to Fortigate and this might work.

Thanks  

0 Kudos
Miguel_Garcia
Contributor
‎2018-05-31 03:33 AM
In response to Houssameddine_1
Jump to solution

Hi Houssameddine,

IPSec was enabled yes. Thanks for your answer. Proxy arp was the solution to this issue.

Regards.

0 Kudos
Houssameddine_1
Collaborator
‎2018-05-31 06:47 AM
Jump to solution

I'm Glad you fixed the problem. I wanted to clarify more,

1- If you have an IPsec enabled on the checkpoint you will not be able to use the public IP of checkpoint to terminate the vpn on the internal fortigate firewall, because checkpoint listenning on the vpn ports and it thinks all vpn traffic is directed to it.

2-  The proxy arp configuration (Proxy arp is an arp reply without a request). you needed this configuration because you use manual static NAT to another public ip doesn't belong to checkpoint firewall and the upstream router doesn't know  how to reach the new public IP because it doesn't know the Mac address. If you used automatic static NAT for the new public IP you don't need to use proxy arp configuration.beside the NAT you need Firewall rules on the checkpoint firewall to allow IKE, ISAKMP and ESP or NAT-T to go pass through to the internal device.

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top