Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
VICTOR_UGWU
Explorer

Internet users access to DMZ

I have Checkpoint Firewall sitting behind a router, the ISP terminates on the router. Internet Users can't get to the webserver in the DMZ.  Can anyone help me with the adjustment i have to make to the NAT rule on the Checkpoint

0 Kudos
8 Replies
VICTOR_UGWU
Explorer

Or maybe there is anything else i could do apart from the NAT that can make it work.

Note: Before the introduction of the router, the ISP terminated on the Checkpoint Firewall and everything was working perfectly well. Internet users was accessing the webserver in the DMZ. But after the introduction of the router , they can't access it any more. PLEASE HELP

0 Kudos
Maarten_Sjouw
Champion
Champion

Did you use manual NAT rules or did you add the NAT IP in the object of the Webserver, if you do the latter, there will be an automatic Proxy ARP entry that will take care of that.

When using Manual NAT you need to make sure to add a Proxy ARP entry in clish:

  add arp proxy ipv4-address 123.123.123.123 macaddress 00:1c:7f:33:22:11 real-ip 123.123.123.122

123.123.123.123 is the NAT address for the Webserver, 00:1c:7f:33:22:11 is the MacAddress for the Internet interface and 123.123.123.122 is the Internet facing IP of the FW, now first push policy.

After the push you can check the availability of the Proxy ARP with:

  fw ctl arp

Regards, Maarten
0 Kudos
VICTOR_UGWU
Explorer

i used the configuration of the proxy arp above but keep getting the error message "
KERPHY0079 IP already has a MAC address mapping"

I am still stuck with stuck

I used ipv4-address 123.123.123.123 = the public IP mapped to the Webserver given by the isp 155.93.X.X

 macaddress 00:1c:7f:33:22:11 = Mac address of the external checkpoint interface connected to the router

real-ip 123.123.123.122 = the IP address of the external checkpoint interface connected to the router

Please correct me if i am wrong any where.

0 Kudos
Maarten_Sjouw
Champion
Champion

Are you running a cluster? Did you check that there was not already arp for this IP? 

Use fw ctl arp to check existing proxy arp's and see if you did not already assign the IP to another internal automatic NAT?

Regards, Maarten
0 Kudos
Vladimir
Champion
Champion

If you were previously terminating ISP on a Check Point, then it had the IP in the Public range assigned to its external interface.

Now you have introduced the router and are terminating ISP traffic on it.

Questions that should be answered and the points to be considered are:

1. Is the network between ISP and your router part of you public range?

2. If the answer for [1] "Yes", than what is the network between the router and the external interface of the firewall is defined as?

3. Do you perform 1:1 NAT on the router to get the inbound traffic translated to the external interface's IP range?

4. Do you have a simple Static NAT configured on the Web Server object that translates its actual IP to the IP in the range assigned to the external interface?

5. No manual ARP NAT configuration is required if Static NAT is defined in the properties of the web server.

0 Kudos
VICTOR_UGWU
Explorer

1)YES. The ISP terminates on the router , so it is public ip address

2) There is a private IP between the Router and external interface of the Firewall

3) the is a NAT inside and NAT outside on the router.

4) I first did manual NAT and added a proxy arp it didnt work, then i did a static NAT on the webserver to translate the actual IP to the Public IP provided by the ISP(155.93.X.X) not the Private IP i assigned to the external firewall interface (192.168.X.X)

5) I removed the manual NAT when i configured the static NAT

From what you have asked so far, will you suggest i use a public IP between the external firewall interface and the router? Also should i rather map the webserver static NAT to the external interface of the firewall (which is currently a private IP)??

0 Kudos
Vladimir
Champion
Champion

On the gateway, You can Statically NAT the private IP of the Web Server to one of the Private IPs in the range between firewall and the router.

You then configure static NAT on the router between that IP and one of the Public IPs.

There should be a route for that IP or the entire subnet on the router pointing to the external IP of the firewall as its next hop.

Your topology on the firewall should be configured to define its external interface.

Thus, inbound traffic will be NATed and forwarded to the Web Server and outbound traffic will be properly routed on its way back.

VICTOR_UGWU
Explorer

I am not running cluster .  After using the command you gave me, I didnt see any Arp in FW CTL arp command. I now checked WebUi > arp and saw two proxy arps i have previously added withr the command in Clish. I manually removed the proxy arps and reapteted the process afresh. Still there was no connection from external .

Kindly confirm is the configs i used below is correct

I used ipv4-address 123.123.123.123 = the public IP mapped to the Webserver given by the isp 155.93.X.X

 macaddress 00:1c:7f:33:22:11 = Mac address of the external checkpoint interface connected to the router

real-ip 123.123.123.122 = the IP address of the external checkpoint interface connected to the router.

If it is, then you can go further to suggest a solution. Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events