Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
solaris77
Explorer

Question: one public IP on outside NIC of FW used for outbound internet access and inbound access

Jump to solution

Hello,

I have a real virtual Checkpoint Security Gateway setup scenario: carrier who provides the virtual computing platform can only allow one public IP on virtual  Checkpoint Security Gateway instance running Checkpoint v80.20, i.e. the internet-facing interface IP, no other public IP range could be allocated due to platform restriction.  

The virtual checkpoint SG setup requirements:

1) setup outbound internet access, setup Hide NAT for all internal subnets with the outside interface IP;

2) setup static NAT on FW for inbound access using the same outside interface IP, so remote client VPN access could get to the VPN Concentrator which sits within DMZ behind FW

The questions are: 1) is it doable 2) any FW NAT/Arp/local Port range setup issues; 3) any performance concerns

I haven't setup the test environment yet, I'm wondering if anyone could give some valuable comments/advices.

  

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion

You should be able to achieve this, provided that you do not have IPSec enabled on Check Point, if your VPN concentrator is using it, or you may have to change the default portal port if you are looking to implement SSL/TLS VPN from behind Check Point.

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

You can do the first thing easily enough.
The second should be possible depending on the ports required.
That said, the Check Point gateway can also terminate VPN connections (with appropriate licenses).

0 Kudos
solaris77
Explorer

Thanks for confirmation.

We'll use standalone TLS/DTLS based VPN concentrator, static NAT on Checkpoint Security Gateway, VPN traffic could be directed to box behind FW, port forwarding setup would be applied to both TCP and UDP 443, no http/https services would be enabled on Checkpoint Security Gateway.  

0 Kudos
PhoneBoy
Admin
Admin

Note that there is something called multiportal that may impact usage of TCP 443.
Recommend that you change the Gaia WebUI port to something other than 443.
A couple other changes may be required.

0 Kudos
Vladimir
Champion
Champion

You should be able to achieve this, provided that you do not have IPSec enabled on Check Point, if your VPN concentrator is using it, or you may have to change the default portal port if you are looking to implement SSL/TLS VPN from behind Check Point.

View solution in original post

0 Kudos
Maarten_Sjouw
Champion
Champion

Problem you will be running into is that you cannot NAT ESP traffic and most VPN concentrators really do not like to be NATted.

So I hope for you it will work but I have my doubts.

Regards, Maarten
0 Kudos
solaris77
Explorer

Not the IPsec based VPN Concentrator for which the NAT-Transversal feature needs be supported for NAT devices in between.  We're using the TLS/DTLS based VPN concentrator, NAT with devices in between should not a problem.    

0 Kudos
the_rock
Authority
Authority

Hard to say in regards to performance issues...in my own personal experience, EVERY vendor will tell you how their firewalls work based on MINIMUM requirements and basic setup, so I always take it with a grain of salt : ). Having said that, I would say it is doable and as phoneboy said, setup should work based on ports required. Also, again, just my own personal experience, I had seen where different customers use same setup and gateways and it works for one, but not the other. There are so many factors that can affect this...(network itself, proxy used?, acceleration...)

0 Kudos
solaris77
Explorer

Yes, literally  the setup should work. We'll do some load testing to simulate the large WFH traffic throughput case.   

0 Kudos
Vladimir
Champion
Champion

BTW, you may want to locate it in DMZ, create an IPS/AV exception for Internet-to-concentrator, but leave the Anti-bot in place.

You can inspect/control the traffic from concentrator to your internal networks using policies.

0 Kudos