Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

Checkpoint HELP!!! Private IP addresses on the outside???

I'm trying to set up a solution that will allow an external vendor to connect to our internal network (two systems only).  Here's the question, the way that I have set it up doesn't work and I think that it has to do with the way that i've set up the ip addresses/VLANs.  Here's the scenario, I have a point to point connected by two 2600's (this works fine, both routers can communicate on the serial port without any problems) on the end of my 2600 I'm connecting to a Cisco switch and from there into an interface directly connected to my Checkpoint firewall.  The connection between the serial interfaces on both routers and the firewall, is on a 10.105.105.xxx network and the customer traffic is being natted to a 10.106.106.xxx network (there's a one to one translation happening, 12.4.xxx.xxx --->10.106.106.xxx).  The connection between the switch and the checkpoint is trunked for any VLAN and the port on the switch that router connects to is configured for VLAN 106.  So here's a breakdown,

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - trunk        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

From my internal netwok, I can see the router on my end but not my vendor's router (this could have something to do with the Natting, not sure).  I can't, however, see the vendor's router.

Can Checkpoint pass dot1q traffic?  Is there a better way of doing this?  
0
sunny10
Asked:
sunny10
1 Solution
 
bfarmerCommented:
Checkpoint in and of itself isn't aware of trunking.  Depending on the platform you're on you may be able to use it.  We use separate interfaces per VLAN (assuming they need to be separated for security purposes).  

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch       --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - vlan 106        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

Where is the NAT taking place in your example? On the firewall or the router?  I assume you have routes in place for each network?

0
 
crazynoodleCommented:
I am wondering why you are using Nat here..   Your 2600 should route the customer traffic to your external interface of the Checkpoint and then a new rule allowing the external source of 12.4.x.x  to the 2 destination hosts should do the trick.. or maybe I am just not understanding the topology.    Is there other external traffic traversing this 3500 switch to the internal network?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now