- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
I have Checkpoint Firewall sitting behind a router, the ISP terminates on the router. Internet Users can't get to the webserver in the DMZ. Can anyone help me with the adjustment i have to make to the NAT rule on the Checkpoint
Or maybe there is anything else i could do apart from the NAT that can make it work.
Note: Before the introduction of the router, the ISP terminated on the Checkpoint Firewall and everything was working perfectly well. Internet users was accessing the webserver in the DMZ. But after the introduction of the router , they can't access it any more. PLEASE HELP
Did you use manual NAT rules or did you add the NAT IP in the object of the Webserver, if you do the latter, there will be an automatic Proxy ARP entry that will take care of that.
When using Manual NAT you need to make sure to add a Proxy ARP entry in clish:
add arp proxy ipv4-address 123.123.123.123 macaddress 00:1c:7f:33:22:11 real-ip 123.123.123.122
123.123.123.123 is the NAT address for the Webserver, 00:1c:7f:33:22:11 is the MacAddress for the Internet interface and 123.123.123.122 is the Internet facing IP of the FW, now first push policy.
After the push you can check the availability of the Proxy ARP with:
fw ctl arp
i used the configuration of the proxy arp above but keep getting the error message "
KERPHY0079 IP already has a MAC address mapping"
I am still stuck with stuck
I used ipv4-address 123.123.123.123 = the public IP mapped to the Webserver given by the isp 155.93.X.X
macaddress 00:1c:7f:33:22:11 = Mac address of the external checkpoint interface connected to the router
real-ip 123.123.123.122 = the IP address of the external checkpoint interface connected to the router
Please correct me if i am wrong any where.
Are you running a cluster? Did you check that there was not already arp for this IP?
Use fw ctl arp to check existing proxy arp's and see if you did not already assign the IP to another internal automatic NAT?
If you were previously terminating ISP on a Check Point, then it had the IP in the Public range assigned to its external interface.
Now you have introduced the router and are terminating ISP traffic on it.
Questions that should be answered and the points to be considered are:
1. Is the network between ISP and your router part of you public range?
2. If the answer for [1] "Yes", than what is the network between the router and the external interface of the firewall is defined as?
3. Do you perform 1:1 NAT on the router to get the inbound traffic translated to the external interface's IP range?
4. Do you have a simple Static NAT configured on the Web Server object that translates its actual IP to the IP in the range assigned to the external interface?
5. No manual ARP NAT configuration is required if Static NAT is defined in the properties of the web server.
1)YES. The ISP terminates on the router , so it is public ip address
2) There is a private IP between the Router and external interface of the Firewall
3) the is a NAT inside and NAT outside on the router.
4) I first did manual NAT and added a proxy arp it didnt work, then i did a static NAT on the webserver to translate the actual IP to the Public IP provided by the ISP(155.93.X.X) not the Private IP i assigned to the external firewall interface (192.168.X.X)
5) I removed the manual NAT when i configured the static NAT
From what you have asked so far, will you suggest i use a public IP between the external firewall interface and the router? Also should i rather map the webserver static NAT to the external interface of the firewall (which is currently a private IP)??
On the gateway, You can Statically NAT the private IP of the Web Server to one of the Private IPs in the range between firewall and the router.
You then configure static NAT on the router between that IP and one of the Public IPs.
There should be a route for that IP or the entire subnet on the router pointing to the external IP of the firewall as its next hop.
Your topology on the firewall should be configured to define its external interface.
Thus, inbound traffic will be NATed and forwarded to the Web Server and outbound traffic will be properly routed on its way back.
I am not running cluster . After using the command you gave me, I didnt see any Arp in FW CTL arp command. I now checked WebUi > arp and saw two proxy arps i have previously added withr the command in Clish. I manually removed the proxy arps and reapteted the process afresh. Still there was no connection from external .
Kindly confirm is the configs i used below is correct
I used ipv4-address 123.123.123.123 = the public IP mapped to the Webserver given by the isp 155.93.X.X
macaddress 00:1c:7f:33:22:11 = Mac address of the external checkpoint interface connected to the router
real-ip 123.123.123.122 = the IP address of the external checkpoint interface connected to the router.
If it is, then you can go further to suggest a solution. Thanks
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY