 | ||
 Natting Public DMZ Traffic through internal network? | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-02-02 | |||
| |||
 Natting Public DMZ Traffic through internal network? Hi Guys: I been attempting to solve this problem for a week now and the closest I have gotten is to the following. I believe the answer is the creation of an arp table on both clusters running (R60 splat) but my superior insist it could be automatically resolved without the use of the arp tables. Scenario: Passing Location A's Public DMZ traffic to Locations B's Public DMZ (bi directional) through the internal network; both are our LAN. One CP cluster is in Location A (Cuda1) and another Cluster on Location B (Cuda2). The following layout works since the router at Location 2 holds an arp table for member 1. Thus, if the cluster fails over it will stop to function. Note: both clusters LocationA and LocationB are managed by the same policy. Current working layout Nat Rules -- Manual at Top of List cuda1_ext cuda2_ext nat_cuda1 nat_cuda2 ;trans DMZ to Int on LOCA1 nat_cuda1 nat_cuda2 cuda1_ext cuda2_ext ;trans Int to DMZ on LOCA2 nat_cuda2 nat_cuda1 cuda2_ext cuda1_ext ;trans DMZ to Int on LOCA2 cuda2_ext cuda1_ext nat_cuda2 nat_cuda1 ;trans Int to DMZ on LOCA1 Rules Base cuda1_ext cuda1_ext ANY Log cuda2_ext cuda2_ext nat_cuda1 nat_cuda1 nat_cuda2 nat_cuda2 Router at location B (Cuda2) has an arp table for Cuda2 Thank you for your feedback and any clues you may provide  |
| 2008-02-02 | |||
| |||
| Re: Natting Public DMZ Traffic through internal network? Sounds more like a routing issue to me. Can't you just route LocationB's Public DMZ IP addresses on ClusterA to route internally, and vice versa? Or are both Public DMZs sharing the same IP space? |
| 2008-02-04 | |||
| |||
| Thank You: Natting Public DMZ Traffic through internal network? Thank You Thorpuse: Yes, both DMZ's share the exact IP scheme. If I am understanding you correctly this would mean adding both external IP's to the antispoofing rule of the internal network which, is what I am trying to prevent. Thank you for your input.... I am trying to see if someone has ran into the same scenario in the past and has been able to resolve it differently. Much like bachelors C++, and Java courses where the professor always wanted less code for the same result. :) Thank You. |
| 2008-02-04 | |||
| |||
| Re: Natting Public DMZ Traffic through internal network? Still sounds like a routing problem though - but now your problem is that you want to route the same IP range to two different locations. At this point it's not a problem you solve with your firewall, but with your routers. Whether that be through some sort of dynamic routing protocol or preferencing is up to you, but it's not a firewall issue. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
