This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ashish_verma
Contributor
‎2018-03-24 08:20 PM
Jump to solution

Natting to an IP range not directly connected

I am trying to do natting by creating object with IP address which is in subnet not connected to firewall-1 and natting it to an IP address that is also not connected. In fw monitor it is only showing pre-in. how can I do so?

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-03-24 11:17 PM
In response to ashish_verma
Jump to solution

Not only is neither subnet attached to the FW-1, they are off the same interface.

It's not impossible.

In fact, more than 15 years ago, I had devised a solution a similar problem.

Before you can even discuss the NAT rules on the firewall, there are several other things you will need to do in the environment to ensure 172.20.20.222 even reaches the firewall.

Specifically:

  • FW-2 will need a static route for 172.20.20.222 to point to Router-2 as a next hop.
  • Router2 will need a static route for 172.20.20.222 to point to Router1 as a next hop.
  • Router2 will also need to proxy-ARP for 172.20.20.222 if anything on 172.20.20.0/24 needs to talk to that IP.
  • Router1 will need a static route for 172.20.20.222 to point to FW-1 as a next hop.

Once you've done that, there will need to be a firewall rule permitting connections from the relevant hosts to 172.20.20.222.


In order to ensure that the firewall stays between the connection between the two hosts, you will need to create a manual dual NAT rule.

The NAT rule will look at both the source and destination of the packet and translate both the source and the destination of the packet.

Because the rules are processed in order, the dual NAT rule must come before other rules that might relate to the destination IP. 

Note that since you did not say what IP your firewall is on the 10.2.0.0/24 network, I am going to assume it's 10.2.0.1 in this example.

You also need to specify what IP addresses the connection will come from, as it cannot come from ANY.

Let's assume it's coming from 10.20.1.0/24.

Original
Translated
SourceDestinationServiceSourceDestinationService
10.20.1.0/24172.20.20.222Any10.2.0.1(H)192.168.1.222(S)Orig

This rule will ensure all traffic coming from 10.20.1.0/24 that is destined for 172.20.20.222 will get hidden behind 10.2.0.1 (the internal IP address of the firewall) and have a destination of 192.168.1.222.

The side effect of this is that for each connection to your "internal" SMTP server using the external IP address, you will see the network connection traverse your internal network twice:

  1. Once between the "server" and the FireWall
  2. Once between the firewall and the "client"

Plus you've created a whole bunch of extra routes in your network that you have to maintain.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2018-03-24 08:43 PM
Jump to solution

A route elsewhere in the environment to direct the traffic for the source IP is required.

If you're seeing the traffic at all in fw monitor, that most likely means the traffic is being routed to the firewall correctly.

If it's not going past pre-in, that suggests the firewall rulebase is not configured to allow the traffic.

That is also a requirement.

What rule(s) in your rulebase allow traffic to this IP?

Are you configuring the NAT IPs in the object or are you using the NAT rulebase? 

What does your logs say when someone tries to connect to the IP address?

ashish_verma
Contributor
‎2018-03-24 10:06 PM
Jump to solution

Thanks Daemon for reply. The Scenario is as above. Now on FW-1, I am trying to do natting on FW-1.

I created an host object 172.20.20.222 and doing natting with 192.168.1.222. Is it possible as both this IPs subnets are not attached directly to FW-1 if yes how can I do so.

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-24 11:17 PM
In response to ashish_verma
Jump to solution

Not only is neither subnet attached to the FW-1, they are off the same interface.

It's not impossible.

In fact, more than 15 years ago, I had devised a solution a similar problem.

Before you can even discuss the NAT rules on the firewall, there are several other things you will need to do in the environment to ensure 172.20.20.222 even reaches the firewall.

Specifically:

  • FW-2 will need a static route for 172.20.20.222 to point to Router-2 as a next hop.
  • Router2 will need a static route for 172.20.20.222 to point to Router1 as a next hop.
  • Router2 will also need to proxy-ARP for 172.20.20.222 if anything on 172.20.20.0/24 needs to talk to that IP.
  • Router1 will need a static route for 172.20.20.222 to point to FW-1 as a next hop.

Once you've done that, there will need to be a firewall rule permitting connections from the relevant hosts to 172.20.20.222.


In order to ensure that the firewall stays between the connection between the two hosts, you will need to create a manual dual NAT rule.

The NAT rule will look at both the source and destination of the packet and translate both the source and the destination of the packet.

Because the rules are processed in order, the dual NAT rule must come before other rules that might relate to the destination IP. 

Note that since you did not say what IP your firewall is on the 10.2.0.0/24 network, I am going to assume it's 10.2.0.1 in this example.

You also need to specify what IP addresses the connection will come from, as it cannot come from ANY.

Let's assume it's coming from 10.20.1.0/24.

Original
Translated
SourceDestinationServiceSourceDestinationService
10.20.1.0/24172.20.20.222Any10.2.0.1(H)192.168.1.222(S)Orig

This rule will ensure all traffic coming from 10.20.1.0/24 that is destined for 172.20.20.222 will get hidden behind 10.2.0.1 (the internal IP address of the firewall) and have a destination of 192.168.1.222.

The side effect of this is that for each connection to your "internal" SMTP server using the external IP address, you will see the network connection traverse your internal network twice:

  1. Once between the "server" and the FireWall
  2. Once between the firewall and the "client"

Plus you've created a whole bunch of extra routes in your network that you have to maintain.

ashish_verma
Contributor
‎2018-03-25 01:03 AM
In response to PhoneBoy
Jump to solution

Thank u very much sir. It worked.

0 Kudos
Gabriel_Rosas
Explorer
‎2019-05-21 12:13 PM
In response to PhoneBoy
Jump to solution

Hi all,
I commented that I have a similar scenario and in the R77.30 version it operates in an appropriate way; but when placing equipment in R80.20 version this scenario stops operating, you know there is some limitation in that version.

Regards.

0 Kudos
eddie_akemu
Participant
‎2019-07-30 12:54 PM
In response to Gabriel_Rosas
Jump to solution

I have configured a Checkpoint firewall as an internet gateway in my ESX lab and wanted to check with you if they is anything missing .

• This gateway is acting to hide ( NAT) for the following IP addresses

10.196.5.0/24
10.196.10.0/24


• They should be hiding behind the IP address 10.196.0.254
• The 172.16.203.0/24 network is automatically natted and traffic is already passing through this to the internet

 

Internet
-------------------------------- (192.168.1.254)- Router


                                                              |
                                                              |
                                       192.168.1.165 - External
                                      FireWall - Checkpoint
                                              (10.196.0.254) - internal
                                                             |
                                                             |
                                                (10.196.0.1)
                                                    Firewall
                                (10.196.5.1)            (10.196.10.1)
                                   |                                       |
Web Browsing (10.196.5.x)| |               Email (10.196.10.x)
| |

When I tried to initiate traffic from the 10.196.5.0/24 network , I cannot see any traffic hitting the Checkpoint gateway firewall ..

I have added the mac addresses for the 10.196.5.1 and 10.196.10.1 interfaces on the checkpoint firewallRulesRulesRuless.jpg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events