This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
prashantds
Participant
‎2020-02-13 05:32 AM
Jump to solution

Make Windows Server accessible publically.

Hi All,

 

 I am very new to Checkpoint Firewall, We are using R77.30. 

We want to make our server accessible publicly by using Public IP.This public IP is having GW different than the current one which is configured on fw for internet access.

I have tried making a Node with Static NAT, and allowed the traffic by making rules.

but when i use that internet stops working on the server. and its not working.

Please suggest.

Thanks,

Prashant. 

Prashant
0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor
‎2020-02-15 11:58 AM
In response to Chris_Atkinson
Jump to solution

In very simple terms what you want to do is have the ISP ROUTE your NEW IP Range to the Firewall on the Firewalls Current IP.

 

You can then create a Node for the Windows Server with the Private IP and then under Static NAT have the Public IP that want it known as.

 

At the moment when you do that then because the ISP Router has a Local Subnet for your Public IP then it does an ARP who has for the IP.

Nothing responds as doesn't exist and so you never get a reply.

 

If you provide the Check Point's External IP to your ISP and have them route the new Public IP Range to that IP then that will have the ISP Router forward all traffic for your new IP Range to the Check Point.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2020-02-13 05:51 PM
Jump to solution

Screenshots of exactly what you configured along with a network diagram would help tremendously.
0 Kudos
prashantds
Participant
‎2020-02-13 10:38 PM
In response to PhoneBoy
Jump to solution

Hi,

Thanks for your reply. Please find attached config ss.

we have created one NAT rule hiding the server ip behind static public ip.

The problem is current public IP used for external traffic  and the public ip we are going to use now have different GW.

Thanks,

Prashant.

Prashant
Preview file
46 KB
Preview file
32 KB
Preview file
17 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-14 10:18 AM
In response to prashantds
Jump to solution

Please explain detail what you mean by "public ip we are going to use now have different GW."
A concrete example would help.
prashantds
Participant
‎2020-02-15 01:49 AM
In response to PhoneBoy
Jump to solution

Hi,

Our current network runs on following Public IP range.

NW: xxx.xxx.23.88/29 

GW xxx.xxx.23.89

The new ip we got from ISP is this :

NW: xxx.xxx.6.72
GW : xxx.xxx.6.73
MASK: 255.255.255.248

The IP for server which we want to access publicly is 10.38.28.19 

My concern is how can i flow traffic from servers IP to xxx.xxx.6.72 IP and vice versa.

Thanks,

 

Prashant
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-02-15 04:40 AM
In response to prashantds
Jump to solution

What's the routing for the new network, where is the ISP routing it towards?

CCSM R77/R80/ELITE
mdjmcnally
Advisor
‎2020-02-15 11:58 AM
In response to Chris_Atkinson
Jump to solution

In very simple terms what you want to do is have the ISP ROUTE your NEW IP Range to the Firewall on the Firewalls Current IP.

 

You can then create a Node for the Windows Server with the Private IP and then under Static NAT have the Public IP that want it known as.

 

At the moment when you do that then because the ISP Router has a Local Subnet for your Public IP then it does an ARP who has for the IP.

Nothing responds as doesn't exist and so you never get a reply.

 

If you provide the Check Point's External IP to your ISP and have them route the new Public IP Range to that IP then that will have the ISP Router forward all traffic for your new IP Range to the Check Point.

prashantds
Participant
‎2020-02-16 12:54 AM
In response to mdjmcnally
Jump to solution

@mdjmcnally

Thanks for the explanation, is there no workaround for this to do it from myside??

Prashant
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-02-16 01:26 AM
In response to prashantds
Jump to solution

Unfortunately not unless you are using Dynamic routing with your ISP?

Correct routing is a prerequisite for NAT.

CCSM R77/R80/ELITE
prashantds
Participant
‎2020-02-16 04:58 AM
In response to Chris_Atkinson
Jump to solution

Ok... Thanks for replies guys...
Prashant
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events