Can I configure 2 NAT Rules in one interface of a Checkpoing (Crossbeam FW)
I have 2 sites that works independantly each one, if one site fail, the other one take control. Having 2 private networks separatly for each site, is one of the firewall fails, switches will start sending it to the other FW, NAT is configured on FW1 and FW2. For FW1 it will be translate from 10.x.x.x /24 to 200.x.x.x and FW2 192.168.x.x /24 to 190.255.x.x.
Is possible that FW1 can be configured with a rule that translate 192.168.x.x /24 to 190.255.x.x
and FW2 with a rule 10.x.x.x /24 to 200.x.x.x.
It is mandatory, that the interface connecting the ROUTER to the FW belongs to the network that is doing NAT, can it be a simple /30 and the NAT rules coexist in both FW?
I am attaching a diagram.
Thanks for you answer.
BR
FW.pdf
Is possible that FW1 can be configured with a rule that translate 192.168.x.x /24 to 190.255.x.x
and FW2 with a rule 10.x.x.x /24 to 200.x.x.x.
It is mandatory, that the interface connecting the ROUTER to the FW belongs to the network that is doing NAT, can it be a simple /30 and the NAT rules coexist in both FW?
I am attaching a diagram.
Thanks for you answer.
BR
FW.pdf
ASKER
Hi Deimark,
Eash site is individual, behind the switches the are equipments that generate traffic from the private addresses on the diagram 10.x.x.x for site 1 and 192.168.x.x for site 2. I have 2 public segment address 190.x.x.x for Site 1 and 200.x.x.x for site 2. My problem is that I need redundancy between the 2 sites, and I neet redundancy between the NAT of the 2 FW. If FW2 fails, the switchs will start forwarding traffic from site 2 to site 1, so the FW1 shoud be able to do NAT for the network 192.168.x.x. It is possible to be the same public segment from FW2. Or I will have to use another.
Thanks for your help.
BR
DK
Eash site is individual, behind the switches the are equipments that generate traffic from the private addresses on the diagram 10.x.x.x for site 1 and 192.168.x.x for site 2. I have 2 public segment address 190.x.x.x for Site 1 and 200.x.x.x for site 2. My problem is that I need redundancy between the 2 sites, and I neet redundancy between the NAT of the 2 FW. If FW2 fails, the switchs will start forwarding traffic from site 2 to site 1, so the FW1 shoud be able to do NAT for the network 192.168.x.x. It is possible to be the same public segment from FW2. Or I will have to use another.
Thanks for your help.
BR
DK
Hmm, still not sure what you want here bud.
So, to allow me to confirm here:
1. Do the switches in each site have a direct link to the other site? ie can they talk to each other (across each site) without going over the internet
2. There is a line between the 2 firewalls, is this a link? Or do they talk over the internet?
3. When there is a dead firewall, how does the switch detect his and also how does it start to send the traffic to the other firewall and site?
4. You say you need redundancy between the NAT on the 2 firewalls, can you elaborate on that please?
5. Is there a VPN between the 2 sites?
So, to allow me to confirm here:
1. Do the switches in each site have a direct link to the other site? ie can they talk to each other (across each site) without going over the internet
2. There is a line between the 2 firewalls, is this a link? Or do they talk over the internet?
3. When there is a dead firewall, how does the switch detect his and also how does it start to send the traffic to the other firewall and site?
4. You say you need redundancy between the NAT on the 2 firewalls, can you elaborate on that please?
5. Is there a VPN between the 2 sites?
ASKER
Regarding to your questions, I am attaching another diagram to see if I explain my self better. Thanks for your patience.
1. The Switches are connected between them, they dont need to go to internet to communicate.
2. Yes that line is also a layer 3 link that speaks OSPF.
3. The equipment detects this with a DNS that is connected to the FW, when they detect is dead, they switch to the second DNS.
4. Yes, redundancy for both sites, is FW1 fails, site 1 will redirect traffic thought site 2 (FW2) but FW2 should be able to translate the private network of Site 1.
5. There is no VPN between the sites.
Again thanks for your help.
BR
Visio-FW.pdf
1. The Switches are connected between them, they dont need to go to internet to communicate.
2. Yes that line is also a layer 3 link that speaks OSPF.
3. The equipment detects this with a DNS that is connected to the FW, when they detect is dead, they switch to the second DNS.
4. Yes, redundancy for both sites, is FW1 fails, site 1 will redirect traffic thought site 2 (FW2) but FW2 should be able to translate the private network of Site 1.
5. There is no VPN between the sites.
Again thanks for your help.
BR
Visio-FW.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok so it is possible to have a Manual NAT, excelent thats what I need. If one FW dies, I have on the Internet routers OSPF with default originate, so the default gateway for thoose user will become the other FW with his Internet Router, thats how I am managing the routes.
So if I can manually configure the 2 NAT rules in both sites, is the best way.
If you have any addtional comment about this, I will apreciate.
If not, thanl you very much for your help.
Best regards.
So if I can manually configure the 2 NAT rules in both sites, is the best way.
If you have any addtional comment about this, I will apreciate.
If not, thanl you very much for your help.
Best regards.
The only comment I have is the usual one for anyone wanting to configure manual nat rules.
BE CAREFUL!!
Make sure that you have the correct source and destination nets defined ans I would also leave the service as untranslated.
Good luck bud. :D
BE CAREFUL!!
Make sure that you have the correct source and destination nets defined ans I would also leave the service as untranslated.
Good luck bud. :D
ASKER
Thanks for your help my friend.
Best Regards.
Best Regards.
As each firewall has its own public IP, then all natted traffic from it will appear from the public IP. If that firewall dies, then no amount of natting will allow the other firewall to respond to a different public IP.
Do you also have VPNs on these devices?
If I understand you, you want to have each firewall also with the public IP of the other one, to hide traffic behind should the other fw fail? Is that correct?
Until I understand a bit more, I think its not possible here, as you will end up having duplicate public IPs in the internet and is likely that your upstream routers will not even route traffic to 190.x.x.x. to fw1 or 200.x.x.x to fw2.
Can you elaborate a bit more on the reasoning behind the requirements, as there may be other options open to us.