How to manage Checkpoint UTM-1 Edge behind a (S&D) NAT Firewall with Smartdashboard.

Posted on 2009-05-18
Medium Priority
Last Modified: 2013-11-16
Hello Experts,

I have the following situation for which I have not (yet) found a solution.
We have several sites connected with a mesh VPN on checkpoint NGX R65 where we manage the UTM-1 Edge devices centrally from SmartDashboard on the smartcenter server.

One site will be connected to our VPN community but the Checkpoint UTM-1 Edge is behind a NAT firewall who will do source and destination NAT. (We do NOT manage that Firewall.)

NETWORK 1 = "public"  network, this has the external interfaces of the other UTM's, they connect site to site with a direct tunnel as needed. (NET1)
NETWORK 2 = The new site's internal network with nonrouteable IP's. (NET2)
NETWORK 3 = The Internal network within the VPN I manage (Not applicable in the rest of this discussion)

They are connected like this:
NET1 <--> Firewall1 <--> NET2 <--> Firewall 2 (UTM-1 Edge) <--> NET3
We do not manage Firewall1, but it is configured with an external IP on NET1 which was assigned for the UTM 1 (FW2). So this is the IP that would have been on the external interface of the UTM-1 if it would have been possible to connect to it directly.

Any incomming traffic to this IP is D(estionation)NAT' ed to arrive on the external interface of the UTM-1 Edge, which has an internal IP in NET2. Because NET2 IP's are not transmittable over the public NET1 any (reply) traffic from the UTM-1 is S(ource)NAT' ted to the external IP as assigned on the Firewall1 between NET1 and NET2.

So that neatly covers traffic to and traffic from the UTM-1 to the other location with a UTM and should in theorie enable it to establish VPN tunnels to them. (Thus making NET3 available to other sites.)

The issue is this. When I add a UTM-1 checkpoint in SmartDashboard I also add the topology of that device. How do I configure this so that the device knows the IP assigned to the external interface on the UTM-1, but also that other sites know that that firewall is reachable by communicating to the assigned IP on the Firewall 1 between NET1 and NET2?

So what I want is a way to tell the other nodes in the network to talk to the Routable external IP assigned to the Firewall one when setting up a VPN to this site, but have the UTM-1 on this site to be manageable from the Smartcenter and know his network connections.
This is because I will lose the connection if I accidently assign the external routeable IP to the external interface of the UTM.

I hope this clearly describes the situation and I would be very happy with any help. I will keep an eye on this topic during CET work hours and reply to any further questions for details.
500 Points are available based on the fact that I could not find any relevant links when googling it so I guess it's an advanced topic. I just had my NGX 1 and NGX 2 training, so It's hard to guestimate how complicated this is, so better on the safe side. Besides, once you are building VPN's opver separate networks like this it's advanced anyways, even  if it is sometimes a simple answer. If multiple people help me to the answer I'll split points.

Thanks in advance.
Question by:mgijtenbeek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 18

Expert Comment

ID: 24412189
This is an interesting one.

Normally in a full UTM-1 install, ie not an edge box, we can edit the VPN properties for the link selection.  In the UTM-1 link selection, we would use a statically NATted IP address as hosted by an upstream router in this case, to use as the source for outgoing VPN connections.  This would allow external hosts to connect to the natted public address successfully and passed through teh external router to the UTM-1 firewall.

Now, with an edge, its different as there is no statically natted link selection available.

Have you tried to bring up a VPN between this edge and another one?:  Using the public NAT address of the edge as hosted from firewall1?

Might be worth trying to create an edge object to use the public address from firewall1 as the main IP and then configure the encryption domain as NET3 (as a new object, manually configured)

Once done, test the VPN connectivity to see if it works.

If the NAT as configured on firewall1 is a complete 1 to 1 static mapping, then basic connectivity (webUI access  etc) should work fine but not too sure on the VPN stuff.

Author Comment

ID: 24412757
Sadly I cannot try to bring up a VPN yet as the UTM-1 Edge has just been sent to the remote country.
I just discussed the configuration with my colleague and we discovered the error in the way we planned this. :-(

So if I do understand you correctly this is pretty simple to solve with a full UTM-1as it offers the upstream NAT box as a supported option, the UTM-1 Edge just doesn't support "hiding" behind a NAT upstream router/firewall.

I figured the NATing should work with the web interface and such, but the entire reason it is there is for the VPN tunnel to connect it to other sites. I will try to create the objects you described as the device is delivered onsite, but that might take a while.

I now realize it might have been a bad idea to post this already as I cannot test any suggestions yet, but perhaps it will get the attention of others who know for sure if this is possible or not.
LVL 18

Expert Comment

ID: 24412851
Have a look at the demo instance of smartdashboard bud.  Fire up the application and select demo and advanced from the drop down box.

This will open upa  demo instance of the app including a set of configs that you can break.  Needless to say you cant push any policies etc, but it will allow you to see the VPN link selection I mention.

The advanced database that you open has the full UTM-1 firewalls there, go to VPN > Link selection to see what I mean.  Thre is also an edge there for review, so you can compare them both.

Of course for any VPN device its preferred to have a proper public address for it, but as we know, its not always possible.  CP have installed this feature on the main firewall product but it does not seem to on the smaller edge devices.

Let us know how you get on though
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.


Author Comment

ID: 24429364
Sorry to have kept you waiting, we had an outage on our NOC site to the network we use. First things first....

What I think we need is a way to inform the other nodes that they can reach the UTM-1 on a different IP then the one assigned to the external interface.

I think for this to work we'd need to make the Smartcenter server aware of the topology on that specific site, so I think I'd need to add the firewall I do not manage and add in that that device is the one connecting the reachable public IP's to the UTM-1 I manage. Am I on the right track here?

I also put in a case with our checkpoint contact to ask if the situation I described is supported on with a UTM-1 Edge X, I will let you know. (If all else fails it will at least answer other peoples question when they search and run into this post.)
LVL 18

Expert Comment

ID: 24429393
"I think for this to work we'd need to make the Smartcenter server aware of the topology on that specific site, so I think I'd need to add the firewall I do not manage and add in that that device is the one connecting the reachable public IP's to the UTM-1 I manage. Am I on the right track here?"

You have hit the nail on the head here.  This is whats needed in your system, and it taken care of in the full UTM-1 appliances, ie you can specify a different IP for VPN connections.  This is CPs solution to the task.

I have had a dig around the edge docs, smartcentre info as well as my own edge box and can't see anyway for us to do this on an edge.  I may have missed a possible work around to this, but at the moment, I don't think it can be done on an edge.

We may need to look at doing some funky routing and network stuff to give the edge box a public IP from the firewall1.

Author Comment

ID: 24813583
Wel, thnis seems like a starnge case with no certain answer.

I have been in contact with our checkpoint support partner and several networking colleagues and some say it can work and some say it won't.
To help other people browsing EE and hitting this topic I will post the result here,
We will just configure the UTM-1 Edge and send it over. As this is to another country it will take some days and we have to wait for it to be installed so I don't knwo when I will update this.

If it works I'll post more details about how we configured it, if it doesn't I"ll just close the topic with the closing comment that it is not possible.
LVL 18

Accepted Solution

deimark earned 1500 total points
ID: 25239835
I still have no clear answer for him I'm afraid.

A full SR raised with CP might shed some light on this to get a definitive answer from the vendor may be required here (not sure if the previous case raised was with CP direct or via a CCSP)

I think this is a limitation on the edge device.  I would try to move away from edges and buy the new UTM-1 130s, which are similar size but run SPLAT and full CP version, not the cut down rebadged sofaware install.

Author Comment

ID: 25739501
Wel, I finally figured it out.

It needs NAT traversal to be enabled, UDP port 4500. Then it will work.
But you will need to enable this on any other Edge on other locations as well.

Sadly this was not something that we where able to enable on the client side in the different countries involved, so we fixed it with some VPN routing internally. (Workaround, but at least it works.)

So in short, yes the UTM-1 Edge X does support NAT traversal, just not as easy as the bigger more feature complete models higher up the price range.

However, that does answer your question, for any people looking up this topic.
My apologies for taking this long, but then again, this has only just been solved last month, because I'm always waiting on other party's.

Author Comment

ID: 25739520
In closing, I'll accept Deimarks replies as a solution because he dis a lot of work to help me out.
I'll award him the points, read the rest of the topic to see if it will help future EE users.

Author Closing Comment

ID: 31582566
Points awarded because he did a lot of work and assisted greatly, but when my CP support company and several other sources don't know the answer sometimes you just have to try as we did and see how it works out.

Basically he did the research and came to the same conclusion, being that it was unclear wether it would work or not.
LVL 18

Expert Comment

ID: 25739554
Sorry to hear that you had such a trouble getting the work around but glad that at least you got something out of it.

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question