Can I configure 2 NAT Rules in one interface of a Checkpoing (Crossbeam FW)

Posted on 2009-04-28
Last Modified: 2013-11-16
I have 2 sites that works independantly each one, if one site fail, the other one take control. Having 2 private networks separatly for each site, is one of the firewall fails, switches will start sending it to  the other FW, NAT is configured on FW1 and FW2. For FW1 it will be translate from 10.x.x.x /24 to 200.x.x.x and FW2 192.168.x.x /24 to 190.255.x.x.

Is possible that FW1 can be configured with a rule that translate 192.168.x.x /24 to 190.255.x.x
and FW2 with a rule  10.x.x.x /24 to 200.x.x.x.

It is mandatory, that the interface connecting the ROUTER to the FW belongs to the network that is doing NAT, can it be a simple /30 and the NAT rules coexist in both FW?

I am attaching a diagram.

Thanks for you answer.
Question by:dsanc
    LVL 18

    Expert Comment

    I am unclear on the reasons why you want to do this or what the situation is.

    As each firewall has its own public IP, then all natted traffic from it will appear from the public IP.  If that firewall dies, then no amount of natting will allow the other firewall to respond to a different public IP.

    Do you also have VPNs on these devices?

    If I understand you, you want to have each firewall also with the public IP of the other one, to hide traffic behind should the other fw fail?  Is that correct?

    Until I understand a bit more, I think its not possible here, as you will end up having duplicate public IPs in the internet and is likely that your upstream routers will not even route traffic to 190.x.x.x. to fw1 or 200.x.x.x to fw2.

    Can you elaborate a bit more on the reasoning behind the requirements, as there may be other options open to us.

    Author Comment

    Hi Deimark,

    Eash site is individual, behind the switches the are equipments that generate traffic from the private addresses on the diagram 10.x.x.x for site 1 and 192.168.x.x for site 2. I have 2 public segment address 190.x.x.x for Site 1 and 200.x.x.x for site 2. My problem is that I need redundancy between the 2 sites, and I neet redundancy between the NAT of the 2 FW. If FW2 fails, the switchs will start forwarding traffic from site 2 to site 1, so the FW1 shoud be able to do NAT for the network 192.168.x.x. It is possible to be the same public segment from FW2. Or I will have to use another.

    Thanks for your help.
    LVL 18

    Expert Comment

    Hmm, still not sure what you want here bud.

    So, to allow me to confirm here:

    1.  Do the switches in each site have a direct link to the other site?  ie can they talk to each other (across each site) without going over the internet

    2.  There is a line between the 2 firewalls, is this a link?   Or do they talk over the internet?

    3.  When there is a dead firewall, how does the switch detect his and also how does it start to send the traffic to the other firewall and site?

    4.  You say you need redundancy between the NAT on the 2 firewalls, can you elaborate on that please?

    5.  Is there a VPN between the 2 sites?

    Author Comment

    Regarding to your questions, I am attaching another diagram to see if I explain my self better. Thanks for your patience.

    1. The Switches are connected between them, they dont need to go to internet to communicate.

    2. Yes that line is also a layer 3 link that speaks OSPF.

    3. The equipment detects this with a DNS that is connected to the FW, when they detect is dead, they switch to the second DNS.

    4. Yes, redundancy for both sites, is FW1 fails, site 1 will redirect traffic thought site 2 (FW2) but FW2 should be able to translate the private network of Site 1.

    5. There is no VPN between the sites.

    Again thanks for your help.

    LVL 18

    Accepted Solution

    OK, thats a bit better bud, thanks for clarifying.

    Check Point can be configured to send traffic out from specific hosts as natted behind any IP you choose.  So in this case, FW1 can indeed be configured, using manual nat rules, to also send traffic out from 192.x.x.x (behind FW2) as from 200.x.x.x (as already working on FW2).

    The problem comes with the return traffic.

    When FW2 dies, traffic leaving FW 1 "appears" to come from FW2, reply packets destined for 200.x.x.x will get routed to the router serving site 2.  This router will see that it has a route to send the traffic for 200.x.x.x out the interface connected to the now dead FW2.  Needless to say, this will fail.

    So to get this working, we need to make sure that the upstream routers know that to send traffic to a FW that has failed, will get re routed to the other.

    In our diagram, we see FW1 as failing so my process (as I see it) will be as follows.

    1.  Each FW has manual NAT rules in place that if the FW receives traffic from the other LAN on its INTERNAL interface (as there is a direct trunk link between the switches between the sites) it will NAT the traffic behind the other FW public IP.

    ie FW1 will nat traffic from 192.x.x.x behind 200.x.x.x
    FW2 will nat traffic from 10.x.x.x behind 190.x.x.x

    2.  FW1 fails and he traffic from 10.x.x.x gets sent to FW2 internal interface

    3.   FW2 starts natting the traffic from 10.x.x.x behind 190.x.x.x


    Return traffic will be sent to 190.x.x.x, which will get routed to site1s upstream router.

    4.  Both upstream routers will need to now that in the event of their own FW failing, traffic destined for the failed firewall, needs to get sent to the other one.

    Some form of intelligent routing and destination rewriting are needed here and your ISP will be best to advise what they can and can't do to assist.

    This is now a routing issue rather than a CP NAT issue.

    The actual functionality of natting outbound traffic will work fine, but its the return traffic which will cause the issue, and this return traffic is outwith the firewall, its all part of the ISP.

    Does that make sense?

    Author Comment

    Ok so it is possible to have a Manual NAT, excelent thats what I need. If one FW dies, I have on the Internet routers OSPF with default originate, so the default gateway for thoose user will become the other FW with his Internet Router, thats how I am managing the routes.

    So if I can manually configure the 2 NAT rules in both sites, is the best way.

    If you have any addtional comment about this, I will apreciate.
    If not, thanl you very much for your help.

    Best regards.
    LVL 18

    Expert Comment

    The only comment I have is the usual one for anyone wanting to configure manual nat rules.


    Make sure that you have the correct source and destination nets defined ans I would also leave the service as untranslated.

    Good luck bud. :D

    Author Comment

    Thanks for your help my friend.

    Best Regards.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    Questions on windows ports 13 53
    Sonicwall - avoid extra logon to get to Internet 11 34
    Link Aggregation 2 12
    Arista Switches 2 13
    Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now