Solved

Static mapping not working in CheckPoint

Posted on 2001-09-10
13
334 Views
Last Modified: 2013-11-16
I have a Checkpoint Firewall1 server and an application that I need to access from the Internet.  I am not using VPN (yet).  I set up a one-to-one static mapping for the server, by basically creating 2 network objects:

AS400-Int = 10.0.0.2
AS400-Ext = <public ip>

Then I set up a rule specifying that anyone can access this machine at the public address using TCP 1375 at the public address.  I then set up a route entry

ROUTE -P ADD <public ip> 10.0.0.2

I installed the policy, but it does not seem to be working.  I was told that I had to associate the public ip with the MAC address of the server.  How is this done? (I don't remember).  Is this the problem?
0
Comment
Question by:Silas
  • 4
  • 2
  • 2
  • +5
13 Comments
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
You do not need a route you need to make a static ARP entry on the firewall.
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
If you need to know how to do this , let me know and let me know what type of system this is.  

Just so you know, the firewall will need a route statement like the one you used if it doesn't already know how to get to the network that the internal hosts resides on.  In other words, if it doesn't already have a static route to that network then you need to create a host route on the firewall.  It won't hurt anything to create a route for all Static NATs, so you might want to do that.  But the reason that it is not working is because you need to create the Static ARP entry on the firewall to allow the firewall to answer requests for that IP address.
0
 
LVL 2

Expert Comment

by:bsadlick
Comment Utility
I have not had to add arp entries to my firewall to get this configuration to work. In addition to the static routes on the firewall, I have had to add routes on my protected hosts so that they know how to route back to the Internet.

Is your as/400 getting the traffic from your FW? Does it know where to route back to?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
You need to modify the local.arp file with the MAC address of the server.  Do a search for Proxy ARP at www.phoneboy.com
0
 

Author Comment

by:Silas
Comment Utility
I will try the local.arp file and let you know.  If anyone has used SonicWall firewalls, please see my other question in this section.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
If platform = NT, then you need local.arp
If platform = Win 2000, it won't work...
The easiest way to create 121 NAT is to create the internal object, click on the NAT tab, and add automatic rule using the valid IP address of the object.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
Be careful with that, even checkpoint themselves will tell you to never use the automatic NAT capabilities especially when creating a one to one static mapping.  reason is you can't control the NATing and when it's done in the Address Translation rule base.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Automatic NAT rules are simple to setup and work fine in simple situations.
If you need to troubleshoot, however, create them manually using the auto rules as a guideline, as auto rules won't log.
Auto rules also do not work very well when you've got lots of firewall objects, as they will get installed on ALL firewall objects by default.


0
 
LVL 2

Expert Comment

by:bsadlick
Comment Utility
You need to set up the NAT rule for the external address. So for your AS400-Ext, under the NAT tab set the type to static, and the address is the internal address. Verify that the NAT rule exists. That should look like:

Any   AS400-Ext  Any  Any  AS400-Int  Any

Also make sure that your security policy rule uses the external object. So the rule should be:

Any   AS400-Ext  Any  Accept

Hope this helps
0
 
LVL 3

Expert Comment

by:klalakomacoi
Comment Utility
You can always put the proxy arp mappings in your router instead.  we currently stick them in local.arp, but in times past we had them in our internet router.  I never noticed any difference in performance or reliability, and i am unaware of any compelling reason to prefer one method over the other, but they both work.
0
 
LVL 1

Expert Comment

by:mangia
Comment Utility
If you have this;

|internet|
|
|
|router|
|
|
|firewall|
|
|
|web server|

Requests from the Internet need to resolve the MAC address for the next hop.  The MAC address is locally significant only.  The firewall needs to be configured to reply with its own MAC address when queried for the MAC address of the NATed web server address.

0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
Silas, not sure if you are still looking at this but here is how it goes.  you need the router to think the IP address of the AS400's public address is tied to the MAC address of the firewall's external interface.  This can be done in two ways but MUST be done in one of the two ways.  You can add a static ARP entry on the router or you can publish the ARP using a proxy ARP on the firewall.  you will also need a route to AS400's external IP address with a gateway of the AS400's internal IP address added on the firewall.  besides that you just simply need to add a one to one static NAT rule in the NAT policy.  like this:

Src     Dest   Srv    Src     Dest  Srv
=======================================
AS400-int  any  any  AS400-ext  any any
any  AS400-ext  any  any  AS400-int any
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
Comment Utility
Administrative Action: PAQ'd and all 50 points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now