This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jfelix
Explorer
‎2020-12-08 10:07 PM

Public IP - MPLS Connected 1590

Jump to solution

Hi,

I have a  Gaia embedded 1590 directly connected to ISP provided MPLS Network.   IP Addressing on WAN port is therefore a private address.  

Internet is provided by a service hanging off the MPLS.   There is a /28 of public's routed through the MPLS terminating at the Checkpoint. 

Public IP's work happily for in and outbound NAT's. 

Network traffic from lan interface is NAT'd to the internet using one of the /28

Traffic to the internet from the firewall itself doesn't seem to use the above NAT, and resolves to a public IP not in the /28 range.   It seems only basic ports are allowed through this IP at the internet connection source.  I am therefore having trouble getting reachmydevice and connectivity to security management portal to work.   

I am trying to find a way to set a public IP in the /28 range for the router itself to use.  I suppose assign a public IP to the WAN interface that already has a private address assigned.    

Any hints?

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-12-09 06:30 AM

Jump to solution

Just add the /28 to the DMZ network interface and connect it to a switch on a dead VLAN so the port is up, set the first IP from the range to the DMZ interface and use that to NAT all traffic from the gateway. That way you can always connect to/from the Gateway from/to the internet.

For a VPN you can then set the link selection to the DMZ interface IP.

Regards, Maarten

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2020-12-09 01:40 AM

Jump to solution

Do I understand it as you have an external FW filtering traffic and disallowing GW to MGMT connectivity?

0 Kudos
jfelix
Explorer
‎2020-12-09 03:02 PM
In response to _Val_

Jump to solution

Yeah there must be a firewall on that internet link.   Firewall would be managed via the MPLS provider. 

/28 doesn't seem to be impacted by the same firewall port filtering though.  


0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-12-09 06:30 AM

Jump to solution

Just add the /28 to the DMZ network interface and connect it to a switch on a dead VLAN so the port is up, set the first IP from the range to the DMZ interface and use that to NAT all traffic from the gateway. That way you can always connect to/from the Gateway from/to the internet.

For a VPN you can then set the link selection to the DMZ interface IP.

Regards, Maarten
0 Kudos
jfelix
Explorer
‎2020-12-09 03:46 PM

Jump to solution

Unit actually already has a DMZ.  And I can connect to the firewall from the internet using the IP allocated to the DMZ interface. 

I actually already tried to set a NAT like you describe and couldn't get it to go. 

 

Tried LAN IP in the original source + DMZ Public IP in translated source
Tried WAN IP in the original source + DMZ Public IP in translated source

"This Gateway" is only a selectable option in Original Destination. 

0 Kudos
jfelix
Explorer
‎2020-12-09 03:59 PM

Jump to solution

Actually I take that back. 

WAN IP in the original Source + DMZ public in translated source is actually the solution.   Verified from CLI that outbound traffic from the firewall itself is now nat'd as DMZ public IP. 

Thanks for your assistance

0 Kudos