Solved

Checkpoint HELP!!!  Private IP addresses on the outside???

Posted on 2004-08-19
2
441 Views
Last Modified: 2013-11-16
I'm trying to set up a solution that will allow an external vendor to connect to our internal network (two systems only).  Here's the question, the way that I have set it up doesn't work and I think that it has to do with the way that i've set up the ip addresses/VLANs.  Here's the scenario, I have a point to point connected by two 2600's (this works fine, both routers can communicate on the serial port without any problems) on the end of my 2600 I'm connecting to a Cisco switch and from there into an interface directly connected to my Checkpoint firewall.  The connection between the serial interfaces on both routers and the firewall, is on a 10.105.105.xxx network and the customer traffic is being natted to a 10.106.106.xxx network (there's a one to one translation happening, 12.4.xxx.xxx --->10.106.106.xxx).  The connection between the switch and the checkpoint is trunked for any VLAN and the port on the switch that router connects to is configured for VLAN 106.  So here's a breakdown,

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - trunk        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

From my internal netwok, I can see the router on my end but not my vendor's router (this could have something to do with the Natting, not sure).  I can't, however, see the vendor's router.

Can Checkpoint pass dot1q traffic?  Is there a better way of doing this?  
0
Comment
Question by:sunny10
2 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 500 total points
ID: 11859507
Checkpoint in and of itself isn't aware of trunking.  Depending on the platform you're on you may be able to use it.  We use separate interfaces per VLAN (assuming they need to be separated for security purposes).  

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch       --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - vlan 106        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

Where is the NAT taking place in your example? On the firewall or the router?  I assume you have routes in place for each network?

0
 
LVL 1

Expert Comment

by:crazynoodle
ID: 11865683
I am wondering why you are using Nat here..   Your 2600 should route the customer traffic to your external interface of the Checkpoint and then a new rule allowing the external source of 12.4.x.x  to the 2 destination hosts should do the trick.. or maybe I am just not understanding the topology.    Is there other external traffic traversing this 3500 switch to the internal network?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question