This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rohit_Gandas
Participant
‎2018-11-23 12:27 PM
Jump to solution

Traffic flow in between C to S via Firewall. How?

Hello All,

Please refer to attached image and solve my query.

Traffic has to go from CLIENT to SERVER. The condition is. It has to go through FIREWALL.

How that would be accomplished?

How traffic will go from client to server via firewall?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-11-23 07:14 PM
Jump to solution

Looks like I get to dig out an old FAQ once again.

I actually feature this exact FAQ in my Migrate to R80.x talks as a Troy McClure slide Smiley Happy

The below is adapted from: Can't Talk to Translated IP from Internal Net 

To force traffic through the Security Gateway, you need to:

  • Block direct communication between the two from the router
  • Direct the client to use an IP that routes the traffic to the Security Gateway (we'll pick 1.1.1.3 in this example)
  • Create a "double NAT" rule, which will ensure the firewall stays between the two hosts.

Original SrcOriginal DstOriginal SvcXlated SrcXlated DstXlated Svc
10.0.0.11.1.1.3Any172.16.1.1(H)192.168.1.1Original


All traffic coming from 10.0.0.1 that is destined for 1.1.1.3 will get hidden behind 172.16.1.1 (the internal IP address of the firewall) and have a destination of 192.168.1.1 (the real IP of the server).
The side effect of this is that for each connection to your "internal" server using the external IP address, you will see the network connection traverse your internal network twice:

  • Once between the "server" and the Firewall
  • Once between the firewall and the "client"

I haven't actually tried this in years, so it's possible this won't work.

But, if it's going to work, this is how you'd do it.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2018-11-23 07:14 PM
Jump to solution

Looks like I get to dig out an old FAQ once again.

I actually feature this exact FAQ in my Migrate to R80.x talks as a Troy McClure slide Smiley Happy

The below is adapted from: Can't Talk to Translated IP from Internal Net 

To force traffic through the Security Gateway, you need to:

  • Block direct communication between the two from the router
  • Direct the client to use an IP that routes the traffic to the Security Gateway (we'll pick 1.1.1.3 in this example)
  • Create a "double NAT" rule, which will ensure the firewall stays between the two hosts.

Original SrcOriginal DstOriginal SvcXlated SrcXlated DstXlated Svc
10.0.0.11.1.1.3Any172.16.1.1(H)192.168.1.1Original


All traffic coming from 10.0.0.1 that is destined for 1.1.1.3 will get hidden behind 172.16.1.1 (the internal IP address of the firewall) and have a destination of 192.168.1.1 (the real IP of the server).
The side effect of this is that for each connection to your "internal" server using the external IP address, you will see the network connection traverse your internal network twice:

  • Once between the "server" and the Firewall
  • Once between the firewall and the "client"

I haven't actually tried this in years, so it's possible this won't work.

But, if it's going to work, this is how you'd do it.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-24 10:59 AM
Jump to solution

Another way is to use VRF's on the router splitting the traffic and using a trunk between router and Firewall. Or directly connect either of the 2 or both networks directly to the Firewall and forget the router altogether.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events