Can I configure 2 NAT Rules in one interface of a Checkpoing (Crossbeam FW)

I have 2 sites that works independantly each one, if one site fail, the other one take control. Having 2 private networks separatly for each site, is one of the firewall fails, switches will start sending it to  the other FW, NAT is configured on FW1 and FW2. For FW1 it will be translate from 10.x.x.x /24 to 200.x.x.x and FW2 192.168.x.x /24 to 190.255.x.x.

Is possible that FW1 can be configured with a rule that translate 192.168.x.x /24 to 190.255.x.x
and FW2 with a rule  10.x.x.x /24 to 200.x.x.x.

It is mandatory, that the interface connecting the ROUTER to the FW belongs to the network that is doing NAT, can it be a simple /30 and the NAT rules coexist in both FW?

I am attaching a diagram.

Thanks for you answer.
Who is Participating?
deimarkConnect With a Mentor Commented:
OK, thats a bit better bud, thanks for clarifying.

Check Point can be configured to send traffic out from specific hosts as natted behind any IP you choose.  So in this case, FW1 can indeed be configured, using manual nat rules, to also send traffic out from 192.x.x.x (behind FW2) as from 200.x.x.x (as already working on FW2).

The problem comes with the return traffic.

When FW2 dies, traffic leaving FW 1 "appears" to come from FW2, reply packets destined for 200.x.x.x will get routed to the router serving site 2.  This router will see that it has a route to send the traffic for 200.x.x.x out the interface connected to the now dead FW2.  Needless to say, this will fail.

So to get this working, we need to make sure that the upstream routers know that to send traffic to a FW that has failed, will get re routed to the other.

In our diagram, we see FW1 as failing so my process (as I see it) will be as follows.

1.  Each FW has manual NAT rules in place that if the FW receives traffic from the other LAN on its INTERNAL interface (as there is a direct trunk link between the switches between the sites) it will NAT the traffic behind the other FW public IP.

ie FW1 will nat traffic from 192.x.x.x behind 200.x.x.x
FW2 will nat traffic from 10.x.x.x behind 190.x.x.x

2.  FW1 fails and he traffic from 10.x.x.x gets sent to FW2 internal interface

3.   FW2 starts natting the traffic from 10.x.x.x behind 190.x.x.x


Return traffic will be sent to 190.x.x.x, which will get routed to site1s upstream router.

4.  Both upstream routers will need to now that in the event of their own FW failing, traffic destined for the failed firewall, needs to get sent to the other one.

Some form of intelligent routing and destination rewriting are needed here and your ISP will be best to advise what they can and can't do to assist.

This is now a routing issue rather than a CP NAT issue.

The actual functionality of natting outbound traffic will work fine, but its the return traffic which will cause the issue, and this return traffic is outwith the firewall, its all part of the ISP.

Does that make sense?
I am unclear on the reasons why you want to do this or what the situation is.

As each firewall has its own public IP, then all natted traffic from it will appear from the public IP.  If that firewall dies, then no amount of natting will allow the other firewall to respond to a different public IP.

Do you also have VPNs on these devices?

If I understand you, you want to have each firewall also with the public IP of the other one, to hide traffic behind should the other fw fail?  Is that correct?

Until I understand a bit more, I think its not possible here, as you will end up having duplicate public IPs in the internet and is likely that your upstream routers will not even route traffic to 190.x.x.x. to fw1 or 200.x.x.x to fw2.

Can you elaborate a bit more on the reasoning behind the requirements, as there may be other options open to us.
dsancAuthor Commented:
Hi Deimark,

Eash site is individual, behind the switches the are equipments that generate traffic from the private addresses on the diagram 10.x.x.x for site 1 and 192.168.x.x for site 2. I have 2 public segment address 190.x.x.x for Site 1 and 200.x.x.x for site 2. My problem is that I need redundancy between the 2 sites, and I neet redundancy between the NAT of the 2 FW. If FW2 fails, the switchs will start forwarding traffic from site 2 to site 1, so the FW1 shoud be able to do NAT for the network 192.168.x.x. It is possible to be the same public segment from FW2. Or I will have to use another.

Thanks for your help.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Hmm, still not sure what you want here bud.

So, to allow me to confirm here:

1.  Do the switches in each site have a direct link to the other site?  ie can they talk to each other (across each site) without going over the internet

2.  There is a line between the 2 firewalls, is this a link?   Or do they talk over the internet?

3.  When there is a dead firewall, how does the switch detect his and also how does it start to send the traffic to the other firewall and site?

4.  You say you need redundancy between the NAT on the 2 firewalls, can you elaborate on that please?

5.  Is there a VPN between the 2 sites?
dsancAuthor Commented:
Regarding to your questions, I am attaching another diagram to see if I explain my self better. Thanks for your patience.

1. The Switches are connected between them, they dont need to go to internet to communicate.

2. Yes that line is also a layer 3 link that speaks OSPF.

3. The equipment detects this with a DNS that is connected to the FW, when they detect is dead, they switch to the second DNS.

4. Yes, redundancy for both sites, is FW1 fails, site 1 will redirect traffic thought site 2 (FW2) but FW2 should be able to translate the private network of Site 1.

5. There is no VPN between the sites.

Again thanks for your help.

dsancAuthor Commented:
Ok so it is possible to have a Manual NAT, excelent thats what I need. If one FW dies, I have on the Internet routers OSPF with default originate, so the default gateway for thoose user will become the other FW with his Internet Router, thats how I am managing the routes.

So if I can manually configure the 2 NAT rules in both sites, is the best way.

If you have any addtional comment about this, I will apreciate.
If not, thanl you very much for your help.

Best regards.
The only comment I have is the usual one for anyone wanting to configure manual nat rules.


Make sure that you have the correct source and destination nets defined ans I would also leave the service as untranslated.

Good luck bud. :D
dsancAuthor Commented:
Thanks for your help my friend.

Best Regards.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.