Solved

How to configure Cisco router with Checkpoint Firewall to avoid double NAT?

Posted on 2008-10-30
15
1,542 Views
Last Modified: 2013-11-16
Hi,

we recently switched to a new ISP and a new Router. Behind the Router is a Checkpoint FIrewall.
The Problem i ran into is Double NAT. Right now I Nat all traffic from the Firewall to a 10.0.25.10 address.
This address will be changed again on the Router to one of our public BGP addresses. Is there a way to change my configuration to a single NAT?

Thank you for your help .
0
Comment
Question by:ktpoitm
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 22843190
Put the checkpoint firewall in transparent mode if possible. This will cause the Firewall become a layer 2 firewall and not need an IP address and just bridge between the links. You get the same inspection and as long as you don't need a DMZ this is the best option.
0
 
LVL 1

Author Comment

by:ktpoitm
ID: 22843220
I cant do that. The Firewall has 6 Interfaces to different networks. Only one of them is the Router. I should have mentioned that earlier sorry for that.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22843365
Do you need to NAT between the 6 interfaces? if not remove the NAT on the FIREWALL and just have routes on the router back to the 6 networks point to the firewall.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:ktpoitm
ID: 22843606
If i understand that correctly, i need the NAT on the FIrewall since the Firewall is clustered.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22844640
The only reason to NAT between networks is to either A) hide your IP scheme, B) deal with overlapping networks.
As far as clustering two or more firewalls together I really don't think that NAT is needed.
With all that being said your router is the edge point to the Internet. So you have to NAT there if you do not have a public IP space behind the router that your ISP is aware of. To avoid NATing on the router get a public IP scheme to put behind the router that is the best way. There are some bridging options that you could do but you will still need a public IP for your firewall.
Let me ask you this. I have seen plenty of people use Double NAT in losts of situations and it not been a problem. Why so concerned?
 
0
 
LVL 1

Author Comment

by:ktpoitm
ID: 22844796
The problem i see is the following. My Exchange Server is NATed to 10.0.25.20 on the firewall. 10.0.25.20 is nated on the Router to a public IP Address. The exchange server is still seen form the outside as 10.0.25.20.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22844867
You get mail right? If you are doing double Nat that is exactly how it needs to be setup on your one to one translations.
You can deny email traffic from getting NATed on your firewall and then NAT from the router directly to the email servers IP address. With NAT it is not an all or nothing. You can just not to NAT some traffic until you get to the router.
0
 
LVL 1

Author Comment

by:ktpoitm
ID: 22844925
I receive mail with no problem. Sending mail is the problem. Sometimes it does not go through. i forwarded our mail.domain.com to the public IP address of the exchange server. If i ping  mail.domain.com it resolves with 10.0.25.20.  Maybe im completely wrong here :P
0
 
LVL 15

Accepted Solution

by:
bkepford earned 250 total points
ID: 22844992
I don't think it is a NAT is causing the issue. Not sure why your DNS is replying back with the 10.0.25.20 address. You should do an NSLOOKUP and see what server it is getting that IP from.
As I said you may want to exclude the email service from the firewall NAT and NAT directly to the servers IP address if you wan to eliminate that as a possible cause.
 
0
 

Expert Comment

by:sullimd
ID: 22845791
Are you sure you're NATing on your router, and if so why?  What is your connection type to your ISP?
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22850452
He is going from a private network 10.0.25.10 to a public IP he has to NAT to get on the Internet.
0
 

Expert Comment

by:sullimd
ID: 22850676
Yeah but you don't have to double NAT.  Depending on the type of connection he has he may not have to NAT on the router.  For instance with a T1 you can NAT on your router if you're using that device as your NAT, DHCP, etc. but most people don't.  They route the serial network to to the WAN network, then use your firewall to NAT to your internal network.

All I'm saying is that is using your router to NAT necessary?  Why not just use it to route your WAN connection, then use your firewall to NAT.
0
 
LVL 1

Author Comment

by:ktpoitm
ID: 22851641
We are using an ethernet connection to our ISP. The  public address scheme is a BGP Class C net. The outer is set up as the BGP AS. If there is a way to only NAT on the firewall i am all for it, i just couldn't figure it out yet. I tried to change the interface ip addresses between router and Firewall to the public address scheme but once i deleted the loopback interface i lost internet connectivity.
0
 
LVL 15

Expert Comment

by:bkepford
ID: 22877947
Have you thought about moving your router behind your firewall? I think you could get what you want from that configuration.
0
 
LVL 1

Author Comment

by:ktpoitm
ID: 22899065
It was an issue with Reverse lookup not the double nat.
Thanks so much for your help.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now