sunny10
asked on
Checkpoint HELP!!! Private IP addresses on the outside???
I'm trying to set up a solution that will allow an external vendor to connect to our internal network (two systems only). Here's the question, the way that I have set it up doesn't work and I think that it has to do with the way that i've set up the ip addresses/VLANs. Here's the scenario, I have a point to point connected by two 2600's (this works fine, both routers can communicate on the serial port without any problems) on the end of my 2600 I'm connecting to a Cisco switch and from there into an interface directly connected to my Checkpoint firewall. The connection between the serial interfaces on both routers and the firewall, is on a 10.105.105.xxx network and the customer traffic is being natted to a 10.106.106.xxx network (there's a one to one translation happening, 12.4.xxx.xxx --->10.106.106.xxx). The connection between the switch and the checkpoint is trunked for any VLAN and the port on the switch that router connects to is configured for VLAN 106. So here's a breakdown,
Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch --->Checkpoint FW---->internal net
(vendor) (me) gigabit0/1 - trunk int - 10.105.105 10.106.106
s0/0-10.105.105 e0-10.105.105 f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx s0/0-unnumbered
From my internal netwok, I can see the router on my end but not my vendor's router (this could have something to do with the Natting, not sure). I can't, however, see the vendor's router.
Can Checkpoint pass dot1q traffic? Is there a better way of doing this?
Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch --->Checkpoint FW---->internal net
(vendor) (me) gigabit0/1 - trunk int - 10.105.105 10.106.106
s0/0-10.105.105 e0-10.105.105 f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx s0/0-unnumbered
From my internal netwok, I can see the router on my end but not my vendor's router (this could have something to do with the Natting, not sure). I can't, however, see the vendor's router.
Can Checkpoint pass dot1q traffic? Is there a better way of doing this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am wondering why you are using Nat here.. Your 2600 should route the customer traffic to your external interface of the Checkpoint and then a new rule allowing the external source of 12.4.x.x to the 2 destination hosts should do the trick.. or maybe I am just not understanding the topology. Is there other external traffic traversing this 3500 switch to the internal network?