?
Solved

How do I use multiple Static IP's on a CheckPoint Safe@Office 500?

Posted on 2009-04-10
7
Medium Priority
?
1,831 Views
Last Modified: 2013-11-16
I have a Safe@Office 500 Check Point Firewall. I also have 13 static IP's. I have about 5 Servers on my Network and all of them have services that need to be passed from the Firewall to them.

The IP scheme is 169.130.x.17-30. 17 of course is my Gateway, so the first usable is 18. Now if you go to x.x.x.18:xxx you can log into my Firewall. I have also setup rules to allow any RDP traffic coming to the Gateway to be passed to 10.10.10.2 which is one of my servers. Any TCP traffic going to port 657 on my Gateway is passed to 10.10.10.6 and so on and so forth. The problem is that I have a WEBSERVER that traffic heading to 169.130.x.18 is going to one internal server of 10.10.10.9. Now I need traffic heading for 169.130.x.20 to go to another internal server of 10.10.10.5.

However this firewall is not like any other I have ever setup and I can't figure out how to do it. Netscreen and Calyptix both have MIP's. So I would say any traffic going to x.x.x.x external IP needs to be redirected to an internal IP of 10.10.10.5. But CheckPoint doesn't have that. Has anyone ever done this on a CHeckpoint and can it be done.

0
Comment
Question by:aando
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 7

Expert Comment

by:EmpKent
ID: 24115651
Aando,

Have you created a static NAT for each public IP to the LAN IP? Once you do that you could create an allow for only port 80 on the two www servers.

Thanks,

Kent
0
 

Author Comment

by:aando
ID: 24115679
I have tried but it doesn't work. So I don't know if it is me not setting it up right or if it just won't work.
0
 
LVL 7

Accepted Solution

by:
EmpKent earned 1500 total points
ID: 24115697
I just dl'd the manual and you can use the Network Object Wizard to setup a single computer object and set that as a static NAT to an external IP.

The process starts on page 135ish.

Kent
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:aando
ID: 24115897
Ok. I was looking at "Using Network Objects" and it says it can be done but it isn't. So I am wondering if it is a configuration issue on my part. Could it be that I already have SMTP traffic going to .18 being routed to the internal server at 10.10.10.5 and now I want owa that is being sent to .20 also to be routed to 10.10.10.5? In other words, can I have two different services going to two different external static IP's route to the same internal IP on this Firewall?
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24116044
Aando,

If you were able to do port forwarding on this box, you might be able to convince it to have individual ports from two public IPs pointing to the same internal IP but I see nothing in the manual to suggest it does.

With static NAT, I suppose that could be done but the bigger question is; why would you want to? If you have your Exchange box as 10.10.10.5 just have your MX (25) and your users (80) point to .18 and leave .20 open for another purpose.

If you really need to differentiate between the two services, use different FQDNs pointing to the same IP...

Thanks,

Kent
0
 

Author Comment

by:aando
ID: 24117170
Thanks, EmpKent

I was able to create a Network Object for the Exchange Server and then to a Static NAT One to One from the External .20 to the Exchange Server. Then I had to create a Rule with Allow and Forward, telling it that Traffic from the WAN going to the Gateway running service "WebServer - a predefined service for webservers in checkpoints" to forward to the Network Object I named Exchange Server which has the external .20 being Nat'd to the Internal Exchange Server IP.
0
 

Author Closing Comment

by:aando
ID: 31568895
Thanks for the help.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question