CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > NAT (Network Address Translation)
NAT issues from the gateway itself NAT issues from the gateway itself
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-03-20
Member
  
Join Date: 2006-01-07
Posts: 32
Rep Power: 0
philofish has an average reputation (10+)
Default NAT issues from the gateway itself
Dear All

I think i have narrowed down the solution to why i am having problems with a simplified VPN install - Apprently the remote gateway is looking up the internal IP address of the smart centre server which sits behind the local gateway and cannot obtain the CRL - thats why i am getting an invalid certificate error message in the logs - apparently

The checkpoint solution is to NAT the the smart centre servers destination private address to the smart centre servers public address on the remote gateways NAT rules

What i mean is [test lab]
remote gateway - external ip = 192.168.40.1

Local gateway - public ip = 192.168.30.1
Local gateway - internal ip = 192.168.5.1
smart centre server = 192.168.5.40

Problem
The problem is that remote gateway cannot obtain the CRL (certification revocation list) from the local smart centre server located behind the local gateway

Solution

I apparently have to NAT from the remote gateway using the following method -

Taken from checkpoint site
For the remote gateway, the following network address translation rule should be placed at the top of the network address translation rules:

ORIGINAL PACKET
SOURCE: Remote gateway
DESTINATION: <internal private IP address of management module>
SERVICE: fw1_ica_services
TRANSLATED PACKET
SOURCE: = Original
DESTINATION: <statically NATed IP address of management module>
SERVICE: = Original


The thing is it doesn't work - how do i get the remote gateway to perform destination NAT?
When i fire up a connection the destination address is still that of the private IP address of the management server and not the NATTED public address - thus the connection drops at the router in the middle
I can do this with hosts behind the remote gateway - as i think NAT is performed on the ingress NIC - but with the gateway the NAT is on the egress NIC as it can send remote traffic only one way!

Has anyone done this before - its baffling me!

Many Thanks

PS - there is no XLATE DST in the logs !
Last edited by philofish; 2006-03-20 at 12:38.
Reply With Quote
  #2 (permalink)  
Old 2006-03-21
Senior Member
  
Join Date: 2006-01-26
Location: Moscow, Russia
Posts: 706
Rep Power: 3
kva.kva has an average reputation (10+)
Default Re: NAT issues from the gateway itself
Try to use automatic static nat (in properties SC object) with option "Apply for VPN-1 Pro/Express control connections".
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 12:05.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0