Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Atul_Giri
Explorer

Two Public LAN pool point single WAN

New Checkpoint Cluster having setup like two WAN links, Primary WAN link having two LAN subnets(/29 Public IP's for NAT), Need help in configuring those subnet.

ISP: WAN 114.x.18x.x/30

ISP: LAN1 114.x.13x.x/29

ISP: LAN2 49.x.x.x/29

Have configured WAN subnet (/30) subnet as VLAN on WAN Aggregation L3 Switch, on same switch LAN1 subnet of ISP configured as separate VLAN and I am able to reach to Internet using this from firewall.

But another ISP LAN Subnet (49.x.x.x/29) trying to access from outside not reaching to internal Private IP's

NAT and Route has been added, Please guide what should be configuration on the firewall so NAT to work.

0 Kudos
6 Replies
Mark_Mitchell
Advisor

Hi Atul,

Are the 2 additional public LAN subnets routed via your /30 to the firewall? (Advertised via the ISP router). Or does each of the subnets have a default gateway within the /29's? 

Also what Check Point appliance are you using? 

Regards

Mark

0 Kudos
Atul_Giri
Explorer

Thank you for reply Mark,

Are the 2 additional public LAN subnets routed via your /30 to the firewall ? I have configured Cisco router with WAN(ISP end), ISP LAN IP's towards my Firewall connected interface.

does each of the subnets have a default gateway within the /29's? I need to configure LAN default gateway in router then only it is working, so I have to use 4 IP's (1 router interface, 1 cluster, 2 firewalls) only 2 remains for NAT.

Also what Check Point appliance are you using? Checkpoint 5600 in HA

I can see now NAT is working (Local Natted PC is getting the NAT IP when checking through whatismyip.com)

Issue is that When I am tracing from outside network to this PC, its getting drop at my WAN IP.

 

I am suspecting routing, reverse route to be added at my WAN router to work, What you suggest?

 

Regards,

Atul

0 Kudos
Mark_Mitchell
Advisor

Not a problem at all Atul. 

Thanks for answering my questions. How are you completing the NAT'ing within your policy? Are you NAT'ing the host object via the NAT screen or are you using proxy arp entries within Gaia?

If your inbound NAT's are not working but outbound is then it sounds like either routing inbound to your firewall or proxy arp isn't configured so the upstream router doesn't know your firewall owns the NAT'd address. 

Regards

Mark

0 Kudos
Atul_Giri
Explorer

Hello Mark,

Please check below screenshot for your reference.

NAT'ing using Host object, HOST static NAT, check Machine static NAT

Yes, upstream router is not recognizing the inside NAT from Firewall, will check the reverse route and share you the result,

thank you so much.

NAT Policy

Regards,

Atul

0 Kudos
Atul_Giri
Explorer

Hello Mark, thank you for you help.

Issue has been resolved,

Added Second subnet from ISP LAN, NAT was not working,

We have added Alias interface to the WAN interface on Firewall, now NAT is working.

0 Kudos
Mark_Mitchell
Advisor

Hi Atul, 

Thanks for letting us know its now resolved. Just for reference, the Alias IP that you added was that the same as the NAT address you were trying to use?

Regards

Mark

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events