Solved: Question: one public IP on outside NIC of FW used ...

solaris77 · ‎2021-01-28

Hello,

I have a real virtual Checkpoint Security Gateway setup scenario: carrier who provides the virtual computing platform can only allow one public IP on virtual Checkpoint Security Gateway instance running Checkpoint v80.20, i.e. the internet-facing interface IP, no other public IP range could be allocated due to platform restriction.

The virtual checkpoint SG setup requirements:

1) setup outbound internet access, setup Hide NAT for all internal subnets with the outside interface IP;

2) setup static NAT on FW for inbound access using the same outside interface IP, so remote client VPN access could get to the VPN Concentrator which sits within DMZ behind FW

The questions are: 1) is it doable 2) any FW NAT/Arp/local Port range setup issues; 3) any performance concerns

I haven't setup the test environment yet, I'm wondering if anyone could give some valuable comments/advices.

Vladimir · ‎2021-01-30

You should be able to achieve this, provided that you do not have IPSec enabled on Check Point, if your VPN concentrator is using it, or you may have to change the default portal port if you are looking to implement SSL/TLS VPN from behind Check Point.

View solution in original post

PhoneBoy · ‎2021-01-29

You can do the first thing easily enough.
The second should be possible depending on the ports required.
That said, the Check Point gateway can also terminate VPN connections (with appropriate licenses).

solaris77 · ‎2021-01-30

Thanks for confirmation.

We'll use standalone TLS/DTLS based VPN concentrator, static NAT on Checkpoint Security Gateway, VPN traffic could be directed to box behind FW, port forwarding setup would be applied to both TCP and UDP 443, no http/https services would be enabled on Checkpoint Security Gateway.

PhoneBoy · ‎2021-02-01

Note that there is something called multiportal that may impact usage of TCP 443.
Recommend that you change the Gaia WebUI port to something other than 443.
A couple other changes may be required.

Vladimir · ‎2021-01-30

You should be able to achieve this, provided that you do not have IPSec enabled on Check Point, if your VPN concentrator is using it, or you may have to change the default portal port if you are looking to implement SSL/TLS VPN from behind Check Point.

Maarten_Sjouw · ‎2021-01-30

Problem you will be running into is that you cannot NAT ESP traffic and most VPN concentrators really do not like to be NATted.

So I hope for you it will work but I have my doubts.

Regards, Maarten

solaris77 · ‎2021-01-30

Not the IPsec based VPN Concentrator for which the NAT-Transversal feature needs be supported for NAT devices in between. We're using the TLS/DTLS based VPN concentrator, NAT with devices in between should not a problem.

the_rock · ‎2021-01-30

Hard to say in regards to performance issues...in my own personal experience, EVERY vendor will tell you how their firewalls work based on MINIMUM requirements and basic setup, so I always take it with a grain of salt : ). Having said that, I would say it is doable and as phoneboy said, setup should work based on ports required. Also, again, just my own personal experience, I had seen where different customers use same setup and gateways and it works for one, but not the other. There are so many factors that can affect this...(network itself, proxy used?, acceleration...)

solaris77 · ‎2021-01-30

Yes, literally the setup should work. We'll do some load testing to simulate the large WFH traffic throughput case.

Vladimir · ‎2021-01-30

BTW, you may want to locate it in DMZ, create an IPS/AV exception for Internet-to-concentrator, but leave the Anti-bot in place.

You can inspect/control the traffic from concentrator to your internal networks using policies.

Are you a member of CheckMates?

Question: one public IP on outside NIC of FW used for outbound internet access and inbound access