Can I configure 2 NAT Rules in one interface of a Checkpoing (Crossbeam FW)

Posted on 2009-04-28
Medium Priority
Last Modified: 2013-11-16
I have 2 sites that works independantly each one, if one site fail, the other one take control. Having 2 private networks separatly for each site, is one of the firewall fails, switches will start sending it to  the other FW, NAT is configured on FW1 and FW2. For FW1 it will be translate from 10.x.x.x /24 to 200.x.x.x and FW2 192.168.x.x /24 to 190.255.x.x.

Is possible that FW1 can be configured with a rule that translate 192.168.x.x /24 to 190.255.x.x
and FW2 with a rule  10.x.x.x /24 to 200.x.x.x.

It is mandatory, that the interface connecting the ROUTER to the FW belongs to the network that is doing NAT, can it be a simple /30 and the NAT rules coexist in both FW?

I am attaching a diagram.

Thanks for you answer.
Question by:dsanc
  • 4
  • 4
LVL 18

Expert Comment

ID: 24258000
I am unclear on the reasons why you want to do this or what the situation is.

As each firewall has its own public IP, then all natted traffic from it will appear from the public IP.  If that firewall dies, then no amount of natting will allow the other firewall to respond to a different public IP.

Do you also have VPNs on these devices?

If I understand you, you want to have each firewall also with the public IP of the other one, to hide traffic behind should the other fw fail?  Is that correct?

Until I understand a bit more, I think its not possible here, as you will end up having duplicate public IPs in the internet and is likely that your upstream routers will not even route traffic to 190.x.x.x. to fw1 or 200.x.x.x to fw2.

Can you elaborate a bit more on the reasoning behind the requirements, as there may be other options open to us.

Author Comment

ID: 24261150
Hi Deimark,

Eash site is individual, behind the switches the are equipments that generate traffic from the private addresses on the diagram 10.x.x.x for site 1 and 192.168.x.x for site 2. I have 2 public segment address 190.x.x.x for Site 1 and 200.x.x.x for site 2. My problem is that I need redundancy between the 2 sites, and I neet redundancy between the NAT of the 2 FW. If FW2 fails, the switchs will start forwarding traffic from site 2 to site 1, so the FW1 shoud be able to do NAT for the network 192.168.x.x. It is possible to be the same public segment from FW2. Or I will have to use another.

Thanks for your help.
LVL 18

Expert Comment

ID: 24261376
Hmm, still not sure what you want here bud.

So, to allow me to confirm here:

1.  Do the switches in each site have a direct link to the other site?  ie can they talk to each other (across each site) without going over the internet

2.  There is a line between the 2 firewalls, is this a link?   Or do they talk over the internet?

3.  When there is a dead firewall, how does the switch detect his and also how does it start to send the traffic to the other firewall and site?

4.  You say you need redundancy between the NAT on the 2 firewalls, can you elaborate on that please?

5.  Is there a VPN between the 2 sites?
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 24263729
Regarding to your questions, I am attaching another diagram to see if I explain my self better. Thanks for your patience.

1. The Switches are connected between them, they dont need to go to internet to communicate.

2. Yes that line is also a layer 3 link that speaks OSPF.

3. The equipment detects this with a DNS that is connected to the FW, when they detect is dead, they switch to the second DNS.

4. Yes, redundancy for both sites, is FW1 fails, site 1 will redirect traffic thought site 2 (FW2) but FW2 should be able to translate the private network of Site 1.

5. There is no VPN between the sites.

Again thanks for your help.

LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 24264386
OK, thats a bit better bud, thanks for clarifying.

Check Point can be configured to send traffic out from specific hosts as natted behind any IP you choose.  So in this case, FW1 can indeed be configured, using manual nat rules, to also send traffic out from 192.x.x.x (behind FW2) as from 200.x.x.x (as already working on FW2).

The problem comes with the return traffic.

When FW2 dies, traffic leaving FW 1 "appears" to come from FW2, reply packets destined for 200.x.x.x will get routed to the router serving site 2.  This router will see that it has a route to send the traffic for 200.x.x.x out the interface connected to the now dead FW2.  Needless to say, this will fail.

So to get this working, we need to make sure that the upstream routers know that to send traffic to a FW that has failed, will get re routed to the other.

In our diagram, we see FW1 as failing so my process (as I see it) will be as follows.

1.  Each FW has manual NAT rules in place that if the FW receives traffic from the other LAN on its INTERNAL interface (as there is a direct trunk link between the switches between the sites) it will NAT the traffic behind the other FW public IP.

ie FW1 will nat traffic from 192.x.x.x behind 200.x.x.x
FW2 will nat traffic from 10.x.x.x behind 190.x.x.x

2.  FW1 fails and he traffic from 10.x.x.x gets sent to FW2 internal interface

3.   FW2 starts natting the traffic from 10.x.x.x behind 190.x.x.x


Return traffic will be sent to 190.x.x.x, which will get routed to site1s upstream router.

4.  Both upstream routers will need to now that in the event of their own FW failing, traffic destined for the failed firewall, needs to get sent to the other one.

Some form of intelligent routing and destination rewriting are needed here and your ISP will be best to advise what they can and can't do to assist.

This is now a routing issue rather than a CP NAT issue.

The actual functionality of natting outbound traffic will work fine, but its the return traffic which will cause the issue, and this return traffic is outwith the firewall, its all part of the ISP.

Does that make sense?

Author Comment

ID: 24264669
Ok so it is possible to have a Manual NAT, excelent thats what I need. If one FW dies, I have on the Internet routers OSPF with default originate, so the default gateway for thoose user will become the other FW with his Internet Router, thats how I am managing the routes.

So if I can manually configure the 2 NAT rules in both sites, is the best way.

If you have any addtional comment about this, I will apreciate.
If not, thanl you very much for your help.

Best regards.
LVL 18

Expert Comment

ID: 24265071
The only comment I have is the usual one for anyone wanting to configure manual nat rules.


Make sure that you have the correct source and destination nets defined ans I would also leave the service as untranslated.

Good luck bud. :D

Author Comment

ID: 24265082
Thanks for your help my friend.

Best Regards.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question