This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jfelix
Participant
‎2020-12-08 10:07 PM
Jump to solution

Public IP - MPLS Connected 1590

Hi,

I have a  Gaia embedded 1590 directly connected to ISP provided MPLS Network.   IP Addressing on WAN port is therefore a private address.  

Internet is provided by a service hanging off the MPLS.   There is a /28 of public's routed through the MPLS terminating at the Checkpoint. 

Public IP's work happily for in and outbound NAT's. 

Network traffic from lan interface is NAT'd to the internet using one of the /28

Traffic to the internet from the firewall itself doesn't seem to use the above NAT, and resolves to a public IP not in the /28 range.   It seems only basic ports are allowed through this IP at the internet connection source.  I am therefore having trouble getting reachmydevice and connectivity to security management portal to work.   

I am trying to find a way to set a public IP in the /28 range for the router itself to use.  I suppose assign a public IP to the WAN interface that already has a private address assigned.    

Any hints?

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-12-09 06:30 AM
Jump to solution

Just add the /28 to the DMZ network interface and connect it to a switch on a dead VLAN so the port is up, set the first IP from the range to the DMZ interface and use that to NAT all traffic from the gateway. That way you can always connect to/from the Gateway from/to the internet.

For a VPN you can then set the link selection to the DMZ interface IP.

Regards, Maarten

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2020-12-09 01:40 AM
Jump to solution

Do I understand it as you have an external FW filtering traffic and disallowing GW to MGMT connectivity?

0 Kudos
jfelix
Participant
‎2020-12-09 03:02 PM
In response to _Val_
Jump to solution

Yeah there must be a firewall on that internet link.   Firewall would be managed via the MPLS provider. 

/28 doesn't seem to be impacted by the same firewall port filtering though.  


0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-12-09 06:30 AM
Jump to solution

Just add the /28 to the DMZ network interface and connect it to a switch on a dead VLAN so the port is up, set the first IP from the range to the DMZ interface and use that to NAT all traffic from the gateway. That way you can always connect to/from the Gateway from/to the internet.

For a VPN you can then set the link selection to the DMZ interface IP.

Regards, Maarten
0 Kudos
jfelix
Participant
‎2020-12-09 03:46 PM
Jump to solution

Unit actually already has a DMZ.  And I can connect to the firewall from the internet using the IP allocated to the DMZ interface. 

I actually already tried to set a NAT like you describe and couldn't get it to go. 

 

Tried LAN IP in the original source + DMZ Public IP in translated source
Tried WAN IP in the original source + DMZ Public IP in translated source

"This Gateway" is only a selectable option in Original Destination. 

0 Kudos
jfelix
Participant
‎2020-12-09 03:59 PM
Jump to solution

Actually I take that back. 

WAN IP in the original Source + DMZ public in translated source is actually the solution.   Verified from CLI that outbound traffic from the firewall itself is now nat'd as DMZ public IP. 

Thanks for your assistance

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events