CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 72 attendees signed up from 20 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > NAT (Network Address Translation)
Reload this Page Translating Both Source And Destination IP
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-13
roadrunner roadrunner is offline
Senior Member
  
Join Date: 2005-08-12
Posts: 162
Rep Power: 4
roadrunner has an average reputation (10+)
Default Translating Both Source And Destination IP
Translating Both Source And Destination IP
Contributed by BenSmith
Published in geeklog Wednesday, June 25 2003 @ 07:00 PM EST
Published in oldfaq 02-Nov-23 00:48 dwelchATphoneboyDOTcom

Consider the following situation:

10.0.0.0/24 ---------- FireWall ----------- 192.168.0.0/24

You need to be able to have a few hosts on the 10.0.0.0 network talk to a host on the 192.168.0.0 network. For political and technical reasons, You can not have any 192.168.0.0 IP addresses appear on the 10.0.0.0 network and vice versa.

FireWall-1 can allow you to do this by translating both the source and destination IP addresses, also known as dual address translation. The steps you would need to take are much the same as you do for ordinary NAT (for specific commands, see either Routing and ARP issues with NAT or Sample Configuration with NAT). This means:


Creating an ARP entry on the firewall for 10.0.0.10 using the MAC address for the firewall on the 10.0.0.0 network
Creating a static route on the firewall for 10.0.0.0 to route to the untranslated IP of 192.168.0.10 (e.g. route add 10.0.0.10 192.168.0.10 1)
Create the appropriate network objects and rules<
Add the translated IP address to the appropriate anti-spoofing configuration
Assuming the following objects


Net-10-0-0-0 for the 10.0.0.0/24 network
Host-192-168-0-10 for the host you wish to access on the 192.168.0.0/24 network
Host-10-0-0-10 for the translated IP for 192.168.0.10
fw-hide-192-168-0-1 for the firewall's IP on 192.168.0.0/24
Your NAT rule would look like this:

Original Translated
No. Source Destination Service Source Destination Service
1 Net-10-0-0-0 Host-10-0-0-10 Any fw-hide-192-168-0-1(H) Host-192-168-0-10 Orig


This NAT rule allows any host on the 10.0.0.0/24 network to access 192.168.0.10 using the translated IP address of 192.168.0.10. Those host will appear as 192.168.0.1 on the 192.168.0.10 network.

Note that you will also need to add an appropriate rule to the security policy to permit access to 10.0.0.10.

-- RayLodato - 13 Jan 2004


FAQForm
FAQs.Class: NetworkAddressTranslationFAQs
FAQs.OS:
FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 13:54.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0