Solved

Static mapping not working in CheckPoint

Posted on 2001-09-10
13
340 Views
Last Modified: 2013-11-16
I have a Checkpoint Firewall1 server and an application that I need to access from the Internet.  I am not using VPN (yet).  I set up a one-to-one static mapping for the server, by basically creating 2 network objects:

AS400-Int = 10.0.0.2
AS400-Ext = <public ip>

Then I set up a rule specifying that anyone can access this machine at the public address using TCP 1375 at the public address.  I then set up a route entry

ROUTE -P ADD <public ip> 10.0.0.2

I installed the policy, but it does not seem to be working.  I was told that I had to associate the public ip with the MAC address of the server.  How is this done? (I don't remember).  Is this the problem?
0
Comment
Question by:Silas
  • 4
  • 2
  • 2
  • +5
13 Comments
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6472870
You do not need a route you need to make a static ARP entry on the firewall.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6472902
If you need to know how to do this , let me know and let me know what type of system this is.  

Just so you know, the firewall will need a route statement like the one you used if it doesn't already know how to get to the network that the internal hosts resides on.  In other words, if it doesn't already have a static route to that network then you need to create a host route on the firewall.  It won't hurt anything to create a route for all Static NATs, so you might want to do that.  But the reason that it is not working is because you need to create the Static ARP entry on the firewall to allow the firewall to answer requests for that IP address.
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6474323
I have not had to add arp entries to my firewall to get this configuration to work. In addition to the static routes on the firewall, I have had to add routes on my protected hosts so that they know how to route back to the Internet.

Is your as/400 getting the traffic from your FW? Does it know where to route back to?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:geoffryn
ID: 6474658
You need to modify the local.arp file with the MAC address of the server.  Do a search for Proxy ARP at www.phoneboy.com
0
 

Author Comment

by:Silas
ID: 6477742
I will try the local.arp file and let you know.  If anyone has used SonicWall firewalls, please see my other question in this section.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 6482610
If platform = NT, then you need local.arp
If platform = Win 2000, it won't work...
The easiest way to create 121 NAT is to create the internal object, click on the NAT tab, and add automatic rule using the valid IP address of the object.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6482697
Be careful with that, even checkpoint themselves will tell you to never use the automatic NAT capabilities especially when creating a one to one static mapping.  reason is you can't control the NATing and when it's done in the Address Translation rule base.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 6482717
Automatic NAT rules are simple to setup and work fine in simple situations.
If you need to troubleshoot, however, create them manually using the auto rules as a guideline, as auto rules won't log.
Auto rules also do not work very well when you've got lots of firewall objects, as they will get installed on ALL firewall objects by default.


0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6482721
You need to set up the NAT rule for the external address. So for your AS400-Ext, under the NAT tab set the type to static, and the address is the internal address. Verify that the NAT rule exists. That should look like:

Any   AS400-Ext  Any  Any  AS400-Int  Any

Also make sure that your security policy rule uses the external object. So the rule should be:

Any   AS400-Ext  Any  Accept

Hope this helps
0
 
LVL 3

Expert Comment

by:klalakomacoi
ID: 6512965
You can always put the proxy arp mappings in your router instead.  we currently stick them in local.arp, but in times past we had them in our internet router.  I never noticed any difference in performance or reliability, and i am unaware of any compelling reason to prefer one method over the other, but they both work.
0
 
LVL 1

Expert Comment

by:mangia
ID: 6567500
If you have this;

|internet|
|
|
|router|
|
|
|firewall|
|
|
|web server|

Requests from the Internet need to resolve the MAC address for the next hop.  The MAC address is locally significant only.  The firewall needs to be configured to reply with its own MAC address when queried for the MAC address of the NATed web server address.

0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6573646
Silas, not sure if you are still looking at this but here is how it goes.  you need the router to think the IP address of the AS400's public address is tied to the MAC address of the firewall's external interface.  This can be done in two ways but MUST be done in one of the two ways.  You can add a static ARP entry on the router or you can publish the ARP using a proxy ARP on the firewall.  you will also need a route to AS400's external IP address with a gateway of the AS400's internal IP address added on the firewall.  besides that you just simply need to add a one to one static NAT rule in the NAT policy.  like this:

Src     Dest   Srv    Src     Dest  Srv
=======================================
AS400-int  any  any  AS400-ext  any any
any  AS400-ext  any  any  AS400-int any
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8143518
Administrative Action: PAQ'd and all 50 points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now