How to manage Checkpoint UTM-1 Edge behind a (S&D) NAT Firewall with Smartdashboard.
Posted on 2009-05-18
I have the following situation for which I have not (yet) found a solution.
We have several sites connected with a mesh VPN on checkpoint NGX R65 where we manage the UTM-1 Edge devices centrally from SmartDashboard on the smartcenter server.
One site will be connected to our VPN community but the Checkpoint UTM-1 Edge is behind a NAT firewall who will do source and destination NAT. (We do NOT manage that Firewall.)
NETWORK 1 = "public" network, this has the external interfaces of the other UTM's, they connect site to site with a direct tunnel as needed. (NET1)
NETWORK 2 = The new site's internal network with nonrouteable IP's. (NET2)
NETWORK 3 = The Internal network within the VPN I manage (Not applicable in the rest of this discussion)
They are connected like this:
NET1 <--> Firewall1 <--> NET2 <--> Firewall 2 (UTM-1 Edge) <--> NET3
We do not manage Firewall1, but it is configured with an external IP on NET1 which was assigned for the UTM 1 (FW2). So this is the IP that would have been on the external interface of the UTM-1 if it would have been possible to connect to it directly.
Any incomming traffic to this IP is D(estionation)NAT' ed to arrive on the external interface of the UTM-1 Edge, which has an internal IP in NET2. Because NET2 IP's are not transmittable over the public NET1 any (reply) traffic from the UTM-1 is S(ource)NAT' ted to the external IP as assigned on the Firewall1 between NET1 and NET2.
So that neatly covers traffic to and traffic from the UTM-1 to the other location with a UTM and should in theorie enable it to establish VPN tunnels to them. (Thus making NET3 available to other sites.)
The issue is this. When I add a UTM-1 checkpoint in SmartDashboard I also add the topology of that device. How do I configure this so that the device knows the IP assigned to the external interface on the UTM-1, but also that other sites know that that firewall is reachable by communicating to the assigned IP on the Firewall 1 between NET1 and NET2?
So what I want is a way to tell the other nodes in the network to talk to the Routable external IP assigned to the Firewall one when setting up a VPN to this site, but have the UTM-1 on this site to be manageable from the Smartcenter and know his network connections.
This is because I will lose the connection if I accidently assign the external routeable IP to the external interface of the UTM.
I hope this clearly describes the situation and I would be very happy with any help. I will keep an eye on this topic during CET work hours and reply to any further questions for details.
500 Points are available based on the fact that I could not find any relevant links when googling it so I guess it's an advanced topic. I just had my NGX 1 and NGX 2 training, so It's hard to guestimate how complicated this is, so better on the safe side. Besides, once you are building VPN's opver separate networks like this it's advanced anyways, even if it is sometimes a simple answer. If multiple people help me to the answer I'll split points.
Thanks in advance.