Solved

How to configure Cisco router with Checkpoint Firewall to avoid double NAT?

Posted on 2008-10-30
15
1,523 Views
Last Modified: 2013-11-16
Hi,

we recently switched to a new ISP and a new Router. Behind the Router is a Checkpoint FIrewall.
The Problem i ran into is Double NAT. Right now I Nat all traffic from the Firewall to a 10.0.25.10 address.
This address will be changed again on the Router to one of our public BGP addresses. Is there a way to change my configuration to a single NAT?

Thank you for your help .
0
Comment
Question by:ktpoitm
  • 7
  • 6
  • 2
15 Comments
 
LVL 15

Expert Comment

by:bkepford
Comment Utility
Put the checkpoint firewall in transparent mode if possible. This will cause the Firewall become a layer 2 firewall and not need an IP address and just bridge between the links. You get the same inspection and as long as you don't need a DMZ this is the best option.
0
 
LVL 1

Author Comment

by:ktpoitm
Comment Utility
I cant do that. The Firewall has 6 Interfaces to different networks. Only one of them is the Router. I should have mentioned that earlier sorry for that.
0
 
LVL 15

Expert Comment

by:bkepford
Comment Utility
Do you need to NAT between the 6 interfaces? if not remove the NAT on the FIREWALL and just have routes on the router back to the 6 networks point to the firewall.
0
 
LVL 1

Author Comment

by:ktpoitm
Comment Utility
If i understand that correctly, i need the NAT on the FIrewall since the Firewall is clustered.
0
 
LVL 15

Expert Comment

by:bkepford
Comment Utility
The only reason to NAT between networks is to either A) hide your IP scheme, B) deal with overlapping networks.
As far as clustering two or more firewalls together I really don't think that NAT is needed.
With all that being said your router is the edge point to the Internet. So you have to NAT there if you do not have a public IP space behind the router that your ISP is aware of. To avoid NATing on the router get a public IP scheme to put behind the router that is the best way. There are some bridging options that you could do but you will still need a public IP for your firewall.
Let me ask you this. I have seen plenty of people use Double NAT in losts of situations and it not been a problem. Why so concerned?
 
0
 
LVL 1

Author Comment

by:ktpoitm
Comment Utility
The problem i see is the following. My Exchange Server is NATed to 10.0.25.20 on the firewall. 10.0.25.20 is nated on the Router to a public IP Address. The exchange server is still seen form the outside as 10.0.25.20.
0
 
LVL 15

Expert Comment

by:bkepford
Comment Utility
You get mail right? If you are doing double Nat that is exactly how it needs to be setup on your one to one translations.
You can deny email traffic from getting NATed on your firewall and then NAT from the router directly to the email servers IP address. With NAT it is not an all or nothing. You can just not to NAT some traffic until you get to the router.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:ktpoitm
Comment Utility
I receive mail with no problem. Sending mail is the problem. Sometimes it does not go through. i forwarded our mail.domain.com to the public IP address of the exchange server. If i ping  mail.domain.com it resolves with 10.0.25.20.  Maybe im completely wrong here :P
0
 
LVL 15

Accepted Solution

by:
bkepford earned 250 total points
Comment Utility
I don't think it is a NAT is causing the issue. Not sure why your DNS is replying back with the 10.0.25.20 address. You should do an NSLOOKUP and see what server it is getting that IP from.
As I said you may want to exclude the email service from the firewall NAT and NAT directly to the servers IP address if you wan to eliminate that as a possible cause.
 
0
 

Expert Comment

by:sullimd
Comment Utility
Are you sure you're NATing on your router, and if so why?  What is your connection type to your ISP?
0
 
LVL 15

Expert Comment

by:bkepford
Comment Utility
He is going from a private network 10.0.25.10 to a public IP he has to NAT to get on the Internet.
0
 

Expert Comment

by:sullimd
Comment Utility
Yeah but you don't have to double NAT.  Depending on the type of connection he has he may not have to NAT on the router.  For instance with a T1 you can NAT on your router if you're using that device as your NAT, DHCP, etc. but most people don't.  They route the serial network to to the WAN network, then use your firewall to NAT to your internal network.

All I'm saying is that is using your router to NAT necessary?  Why not just use it to route your WAN connection, then use your firewall to NAT.
0
 
LVL 1

Author Comment

by:ktpoitm
Comment Utility
We are using an ethernet connection to our ISP. The  public address scheme is a BGP Class C net. The outer is set up as the BGP AS. If there is a way to only NAT on the firewall i am all for it, i just couldn't figure it out yet. I tried to change the interface ip addresses between router and Firewall to the public address scheme but once i deleted the loopback interface i lost internet connectivity.
0
 
LVL 15

Expert Comment

by:bkepford
Comment Utility
Have you thought about moving your router behind your firewall? I think you could get what you want from that configuration.
0
 
LVL 1

Author Comment

by:ktpoitm
Comment Utility
It was an issue with Reverse lookup not the double nat.
Thanks so much for your help.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now