CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > NAT (Network Address Translation)
NAT Multiple External IPs to one DMZ IP NAT Multiple External IPs to one DMZ IP
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-06-06
Member
  
Join Date: 2006-02-21
Location: 127.0.0.1
Posts: 56
Rep Power: 3
runcmd has an average reputation (10+)
Default NAT Multiple External IPs to one DMZ IP
We have multiple external facing IP addresses that we would like to NAT to a single DMZ IP address. For example:

1.0.0.1 - 1.0.0.20 (External) : NAT to : 172.16.0.30 (DMZ)

What I want to accomplish is: Traffic to any IP between 1.0.0.1 and 1.0.0.20 is NAT'ed to the single 172.16.0.30 address.

Is there an easy way this can be done?... Is it possible to specify a range when configuring NAT on a node? If not, can I just create multiple nodes with the same DMZ IP and then NAT each one to a different external IP address? Thanks in advance for any and all responses!
Reply With Quote
  #2 (permalink)  
Old 2006-06-06
Senior Member
  
Join Date: 2005-11-21
Location: Europe, Lithuania
Posts: 291
Rep Power: 4
Sergej has an average reputation (10+)
Default Re: NAT Multiple External IPs to one DMZ IP
I'm not sure this is supported. But you can try (you second option) and provide the feedback here.
Reply With Quote
  #3 (permalink)  
Old 2006-06-06
Senior Member
  
Join Date: 2006-04-30
Location: Europe, Germany
Posts: 153
Rep Power: 3
dsb.nepo has an average reputation (10+)
Default Re: NAT Multiple External IPs to one DMZ IP
Maybe you can do the following trick
- add ipalias from 172.20.0.31-39 to the machine (so the machine takes 10 IP's)
- create 10 external and 10 internal objects
- handle every ip pair as own (arp/route/nat ...)

If you have only on application look with lsof, sockstat, netstat or whatever the system have if the application listen to *:PORT.

I do this with some application server without problem
Reply With Quote
  #4 (permalink)  
Old 2006-06-07
Member
  
Join Date: 2006-02-21
Location: 127.0.0.1
Posts: 56
Rep Power: 3
runcmd has an average reputation (10+)
Default Re: NAT Multiple External IPs to one DMZ IP
If you try to create two nodes with the same IP, but different NATs, you encounter the following error when you attempt to publish:

Quote:
Policy: Advanced Security
Status: Error
Node1 and Node2 have the same IP address and both have network address translation
Reply With Quote
  #5 (permalink)  
Old 2006-06-07
Member
  
Join Date: 2006-01-04
Location: Germany
Posts: 36
Rep Power: 0
Tetaworx has an average reputation (10+)
Send a message via ICQ to Tetaworx
Default Re: NAT Multiple External IPs to one DMZ IP
Quote:
Originally Posted by runcmd
[...]
What I want to accomplish is: Traffic to any IP between 1.0.0.1 and 1.0.0.20 is NAT'ed to the single 172.16.0.30 address.
[...]
You can only achieve this with manual NAT rules, I think.

Create a network objekt for every of the twenty external natted IP's and use them as the original packet destination of the manual NAT rule. As the translated packet destination use the internal network object with your IP 172.16.0.30.

If this is the first manual NAT rule in your rule base take care of "Global Properties -> NAT -> Manual NAT rules -> Translate destination on client side".

If external connections should be initiated inside->out from 172.16.0.30 to the internet you need a manual hide nat, too.

-Dennis
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 13:06.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0