[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Checkpoint HELP!!!  Private IP addresses on the outside???

Posted on 2004-08-19
2
Medium Priority
?
446 Views
Last Modified: 2013-11-16
I'm trying to set up a solution that will allow an external vendor to connect to our internal network (two systems only).  Here's the question, the way that I have set it up doesn't work and I think that it has to do with the way that i've set up the ip addresses/VLANs.  Here's the scenario, I have a point to point connected by two 2600's (this works fine, both routers can communicate on the serial port without any problems) on the end of my 2600 I'm connecting to a Cisco switch and from there into an interface directly connected to my Checkpoint firewall.  The connection between the serial interfaces on both routers and the firewall, is on a 10.105.105.xxx network and the customer traffic is being natted to a 10.106.106.xxx network (there's a one to one translation happening, 12.4.xxx.xxx --->10.106.106.xxx).  The connection between the switch and the checkpoint is trunked for any VLAN and the port on the switch that router connects to is configured for VLAN 106.  So here's a breakdown,

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - trunk        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

From my internal netwok, I can see the router on my end but not my vendor's router (this could have something to do with the Natting, not sure).  I can't, however, see the vendor's router.

Can Checkpoint pass dot1q traffic?  Is there a better way of doing this?  
0
Comment
Question by:sunny10
2 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 1500 total points
ID: 11859507
Checkpoint in and of itself isn't aware of trunking.  Depending on the platform you're on you may be able to use it.  We use separate interfaces per VLAN (assuming they need to be separated for security purposes).  

Cisco 2600 ----> Cisco 2600 ----->Cisco 3500 switch       --->Checkpoint FW---->internal net
(vendor)               (me)                 gigabit0/1 - vlan 106        int - 10.105.105     10.106.106
s0/0-10.105.105   e0-10.105.105     f0/1-vlan 106 dot1q
e0-12.4.xxx.xxx     s0/0-unnumbered

Where is the NAT taking place in your example? On the firewall or the router?  I assume you have routes in place for each network?

0
 
LVL 1

Expert Comment

by:crazynoodle
ID: 11865683
I am wondering why you are using Nat here..   Your 2600 should route the customer traffic to your external interface of the Checkpoint and then a new rule allowing the external source of 12.4.x.x  to the 2 destination hosts should do the trick.. or maybe I am just not understanding the topology.    Is there other external traffic traversing this 3500 switch to the internal network?
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question