[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Checkpoint Firewall question

Posted on 2001-08-29
11
Medium Priority
?
355 Views
Last Modified: 2013-11-16
I have a Checkpoint firewall that I am installing.  It has 3 nic cards.  I want to set it up so that it performs network address translation for an entire network (10.0.0.0) and also performs a couple of static mappings for a specific machine (ex. 200.50.12.6 maps to 10.0.0.2).  Can I do both?  Or will Checkpoint only allow me to either go static or dynamic.  If I can, how is it done?
0
Comment
Question by:Silas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6440407
This is easy and I will try and help.  First, most of all your question can be answered at www.phoneboy.com.
Now to address what you want to do.  I would recommend never doing automaticic translations, that means never use the NAT tab on network object properties.  In policy editor do all translation right there on the Address translation policy tab.  To do what you want follow this guidelinel

create an workstation object int-host-1-int
give hime IP address 10.0.0.2

create an workstation object int-host-1-ext
give him IP address 200.50.12.6

create an network object int-network-1
give it the IP network 10.0.0.0 255.255.255.0

create an workstation object int-network-1-hiding
give it the same ip address as the external interface of the firewall  *note: checkpoint will give you are warning message that you are giving two objects the same IP address, this is okay just click okay.*

Now create the following translation rules.
Source    Destination Serv Source      Destination    Serv
any    int-host-1-ext any  orig.       int-host-1     any
int-host-1  any       any  int-host-1-ext  orig.      any
int-network-1   any   any  int-network-1-hiding orig. any

If you can't read that I am sorry very limited in what can be done here.  If you need a screen shot , give me your email and I will send one.

Also, you have to make sure the firewall answers for the static address you just assigned it to translate.  The best way to do that is to make sure by putting a static arp entry on the external router that the firewall connects to for it's internet connection.
something like this in cisco:

config t
arp 200.50.12.6 (MAC address of firewall)

If you can't do this then you need to do it on the firewall, only problem is if there is a switch in between the firewall and the external router sometimes the switch won't like it and the router wont be able to send traffic destined for 200.50.12.6 to the firewall.

Besides that you are all set.
Let me know if you need the screen shot to better understand, but it is very simple to setup.
0
 

Author Comment

by:Silas
ID: 6440740
this is good info -I just had one other question regarding the NAT functionaility on checkpoint.  Can you NAT a remote network, i.e. one that is not directly connected to one of the Checkpoint interfaces.  I have 2 routers, one going to the Internet, one going to a remote network -but that remote network needs to be natted as well, so it can reach the web.  In Cisco, we would create an access list that would be used for NAT purposes, specifying local and remote networks (or everyone).  Can I do the same thing here?
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6440762
As long as the traffic from the remote office passes through the checkpoint firewall it can be NATed.

Give my an idea of your network layout and maybe I can suggest a best practices kind of thing.  I have this exact kind of thing setup all over the world on firewalls I manage.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:Silas
ID: 6440872
here is a crude diagram

        Internet
            |
-------Cisco 2621--------
            |
-------Checkpoint--------
            |
         Switch----------Cisco 2501
            |                 |
      Local Network       Remote Network (different subnet)

So the Checkpoint needs to be able to recognize packets coming from the remote network via the 2500 series router and send them to the Internet as well.

0
 
LVL 11

Accepted Solution

by:
geoffryn earned 300 total points
ID: 6440933
Just define another network object for the remote subnet and create an allow rule.  The Checkpoint will also need a static route to the remote network.
0
 

Author Comment

by:Silas
ID: 6440941
Cool -thanks -I am also posting another question regarding Checkpoint, if you could help me that one...
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441105
geoffryn's answer is wrong, he is missing something you shouldn't accept answers so quickly.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441166
You asked how to setup NAT for another network.  He created an object and gave reference to setting up a rule to allow the traffic from that network, but that isn't only an imcomplete answer it's not even the best way of doing it.

The best way of doing this is to create a group object, then create Network objects for all your internal networks then put all the newly created network objects into the group object you created for internal networks.  Then create your rule base allowing those groups out.  Then, make sure you create a translation rule like the one I listed above except instead of an int-network object to any translated to int-network-ext remove the int-network-int object and insert the group container that you created that holds all internal networks.

Thats the easiest way of doing things.  The best way would be to put the router off the Third port of your firewall so you can have some protection so you have a firewall seperating all three locations: internet, site 1 and site2.
0
 

Author Comment

by:Silas
ID: 6446286
jwalsh88: Looking at the rule you have defined above, could I also create 2 network objects

1. GroupWise-Ext: 200.100.100.6
2. GroupWise-Int: 10.0.0.2

and set up a rule specifying the destination GroupWise-Ext and translated destination GroupWise-Int with a service of TCP 25?  Or does the name have to match?
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6451227
Silas not sure I understand your question, why don't you just let me know exactly what you want to do and I can tell you what you need to setup to get it done.
0
 

Author Comment

by:Silas
ID: 6453066
I want to do a port address translation to an internal GroupWise server:

ex: 200.100.100.6 110 maps to 10.0.0.2 110

pretty straigtforward, I just don't like working with restrictive GUIs.

0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question