How to configure Cisco router with Checkpoint Firewall to avoid double NAT?

Hi,

we recently switched to a new ISP and a new Router. Behind the Router is a Checkpoint FIrewall.
The Problem i ran into is Double NAT. Right now I Nat all traffic from the Firewall to a 10.0.25.10 address.
This address will be changed again on the Router to one of our public BGP addresses. Is there a way to change my configuration to a single NAT?

Thank you for your help .
LVL 1
ktpoitmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkepfordCommented:
Put the checkpoint firewall in transparent mode if possible. This will cause the Firewall become a layer 2 firewall and not need an IP address and just bridge between the links. You get the same inspection and as long as you don't need a DMZ this is the best option.
0
ktpoitmAuthor Commented:
I cant do that. The Firewall has 6 Interfaces to different networks. Only one of them is the Router. I should have mentioned that earlier sorry for that.
0
bkepfordCommented:
Do you need to NAT between the 6 interfaces? if not remove the NAT on the FIREWALL and just have routes on the router back to the 6 networks point to the firewall.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

ktpoitmAuthor Commented:
If i understand that correctly, i need the NAT on the FIrewall since the Firewall is clustered.
0
bkepfordCommented:
The only reason to NAT between networks is to either A) hide your IP scheme, B) deal with overlapping networks.
As far as clustering two or more firewalls together I really don't think that NAT is needed.
With all that being said your router is the edge point to the Internet. So you have to NAT there if you do not have a public IP space behind the router that your ISP is aware of. To avoid NATing on the router get a public IP scheme to put behind the router that is the best way. There are some bridging options that you could do but you will still need a public IP for your firewall.
Let me ask you this. I have seen plenty of people use Double NAT in losts of situations and it not been a problem. Why so concerned?
 
0
ktpoitmAuthor Commented:
The problem i see is the following. My Exchange Server is NATed to 10.0.25.20 on the firewall. 10.0.25.20 is nated on the Router to a public IP Address. The exchange server is still seen form the outside as 10.0.25.20.
0
bkepfordCommented:
You get mail right? If you are doing double Nat that is exactly how it needs to be setup on your one to one translations.
You can deny email traffic from getting NATed on your firewall and then NAT from the router directly to the email servers IP address. With NAT it is not an all or nothing. You can just not to NAT some traffic until you get to the router.
0
ktpoitmAuthor Commented:
I receive mail with no problem. Sending mail is the problem. Sometimes it does not go through. i forwarded our mail.domain.com to the public IP address of the exchange server. If i ping  mail.domain.com it resolves with 10.0.25.20.  Maybe im completely wrong here :P
0
bkepfordCommented:
I don't think it is a NAT is causing the issue. Not sure why your DNS is replying back with the 10.0.25.20 address. You should do an NSLOOKUP and see what server it is getting that IP from.
As I said you may want to exclude the email service from the firewall NAT and NAT directly to the servers IP address if you wan to eliminate that as a possible cause.
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sullimdCommented:
Are you sure you're NATing on your router, and if so why?  What is your connection type to your ISP?
0
bkepfordCommented:
He is going from a private network 10.0.25.10 to a public IP he has to NAT to get on the Internet.
0
sullimdCommented:
Yeah but you don't have to double NAT.  Depending on the type of connection he has he may not have to NAT on the router.  For instance with a T1 you can NAT on your router if you're using that device as your NAT, DHCP, etc. but most people don't.  They route the serial network to to the WAN network, then use your firewall to NAT to your internal network.

All I'm saying is that is using your router to NAT necessary?  Why not just use it to route your WAN connection, then use your firewall to NAT.
0
ktpoitmAuthor Commented:
We are using an ethernet connection to our ISP. The  public address scheme is a BGP Class C net. The outer is set up as the BGP AS. If there is a way to only NAT on the firewall i am all for it, i just couldn't figure it out yet. I tried to change the interface ip addresses between router and Firewall to the public address scheme but once i deleted the loopback interface i lost internet connectivity.
0
bkepfordCommented:
Have you thought about moving your router behind your firewall? I think you could get what you want from that configuration.
0
ktpoitmAuthor Commented:
It was an issue with Reverse lookup not the double nat.
Thanks so much for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.