Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
giesseffe
Explorer

Multiple IP connection to local server

We need to find a solution that allows multiple ip's to communicate with one of our internal servers.

In other words, is it possible to mask randomly changing public ip's (ex: hyperforce ip) behind a single domain that communicates with internal servers?

Is reverse proxy a good solution?

Does the call from the external site need to come from a single domain that I can filter, or can I operate with checkpoints to create a single domain that will be called from the external site?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Use Access Policy and NAT rules to allow/modify the traffic so it can be consumed internally.
A public IP specific to that server might be necessary, depending on your configuration.

0 Kudos
giesseffe
Explorer

The problem is that the calls come from different ip aws that change randomly. As you can see in the image attatched, I receive different request from different ip AWS and the flows works properly. My need is to avoid all these requests and collect everything in the same domain. Can this be done by Checkpoint or by the service on AWS?

0 Kudos
PhoneBoy
Admin
Admin

Is the stuff in AWS in your control or not?

0 Kudos
giesseffe
Explorer

Unfortunately not and this is the real problem. The great difficulty lies in making the third-party technicians understand the need to receive a call from one domain and not from several random IPs. Could you confirm that I can do almost nothing at the side checkpoint?

0 Kudos
PhoneBoy
Admin
Admin

Keep in mind that none of the AWS IP addresses will have a "domain" associated with them, at least one that uniquely identifies the application in question.
If you had access to the AWS Data Centers and could connect the CloudGuard Controller, you can actually create objects based on objects in AWS and create rules that your on-premise gateways would enforce.

0 Kudos
StackCap43382
Collaborator
Collaborator

If the incoming connectivity is to a static IP on the firewall cant you just SRC NAT it and then create an internal DNS entry to point it back to the NAT address on the firewall?

This is the kind of situation where a LB like an F5 or a Citrix is ideal.

 

If you need the traffic to hit the firewall from a single IP you'll need to condense it before it arrives.

You'll need to deploy a LB in Azure etc and point the AWS resources to it.

It will use SNAT to forward the traffic to the firewall behind its external Address.

As previous a DNS entry can be attached.

 

CCSME, CCTE, CCME, CCVS
0 Kudos
giesseffe
Explorer

Thanks a lot @StackCap43382

Do you think this nat+dns solution could prevent aws public ip change from blocking the flow to the internal server?

FLOW:

(Source) Random Public IP AWS -> Destination (public Ip CP)  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events