same internal host mapped to 2 different static ip address

[sebastan_bach]

hi all i am trying to figure out a way by which i can map the same internal hosts to 2 different external ip address for different set of destinations.

right now when we configure a static address to a internal host then no matter where is the destination the source will always be translated to the same static address.

in my case i am having a internal host and i want to get mapped to ext ip 1 for my inrtanet users and want to map to ext ip 2 for internet users.

this is called policy static nat in cisco .

when i try to configure to nodes with the same ip address and configure the policy and push it to the enforcement module. it gives a error saying i cannot map the same ip address to 2 host.

is there a way of achieving this.

regards

sebastan

[dbedit]

Try to use manual NAT and use option 'add(static)' in the source of your translated packet, I think that should work. Define two nodes with external IP addresses for use with 'add(static)'.
Do not use NAT on the object(automatic).

[sebastan_bach]

hi mate thanks a lot for ur reply. u mean to say i can map the same internal host to 2 different external ip address using manual static nat right.

i will surely try this out in a hour and let u know.

thanks a lot once again.

regards

sebastan

[coldark]

[EDIT:] After reading your other post in the other NAT thread I may have got the wrong end of the stick - however - what I have written is true for the situation I am showing in my diagram.

Assuming you have already got a node object created for Int_host and Network objects created for Intranet_User_IP_Net and Internet_User_IP_Net

1) Create a new "Node Host" object for your Ext_IP_1 (NAT) address - do not set up automatic NAT on this object.
2) Create a new "Node Host" object for your Ext_IP_2 (NAT) address - do not set up automatic NAT on this object
3) Manually Add 2 new "Address Translation" rules under the "Address Translation" tab of the rulebase:

Intranet_User_IP_Net | Ext_Ip_1 | Any | = | Int_Host | = | Comment as req
_________ANY______| Ext_Ip_2 | Any | = | Int_Host | = | Comment as req

Ensure that there are "Security" rules under the "Security" tab of the rulebase to allow traffic to allow these external groups to the NAT addresses:

Intranet_User_IP_Net | Ext_Ip_1 | Any Traffic | Approriate Services | Accept
_______ANY________| Ext_Ip_2 | Any Traffic | Approriate Services | Accept

Under "Policy Menu > Global Properties > NAT > Manual NAT Rules" check "Translate Destination on the Client Side"

Finally - you will also need either
1) routes on the upstream router to route traffic destined to the NAT addresses onto the FW External NIC. or
2) your FW must respond to arp requests on behalf of the NAT addresses (set up proxy arps).

[sebastan_bach]

hi mate thanks a lto for ur detailed reply mate.

it was really helpful. mate the problem is that with the rulebase that i want the intranet people to access the internal server on the ext_ip1 only and not by ext_ip2.similarly the internet users to access the internal server by ext_ip2 only and not by ext_ip1.

now for the internet user my network object will be set to any as i do not know the ip addresses form the internet.

so my rule base actually is like this.

intranet to ext_ip1 any accept
intranet to ext_ip2 any drop
internet to ext_ip1 any drop
internet to ext-ip_2 any accept.

will this work. i mean is the rulebase right.

i guess we only need to add the manual proxy arp entries when we are using manual nat right. if were using automatic static nat then we do not need manual proxy entires right mate.

pls confirm on the same mate.

thanks a lot for ur detailed explaination.

regards

sebastan

[coldark]

ofc with internet users then yes you will be using ANY - I have edited my original post to reflect this.

Will both your internet and intranet users be entering your network via the same interface (as shown in my original diagram), or is it more like...


INTERNET USERS
||
||
||
FW========INT_HOST
||
||
||
INTRANET USERS

[sebastan_bach]

hi mate yes both the intranet and the internet are connected on the same external interface of the gateway and both will entering the network using the same interface.

will my config work.

regards

sebastan

[lammbo]

Just curious, but why would the internal users need to hit ext1 ip at all? Why not just allow intranet to hit the internal IP?

Is this in any way related to your other post?

If so, my recommendation to you is to proceed with the 1 rule, 1 NAT as described in the other post.

[coldark]

if your intranet users must use NAT then I would set it up as I have suggested in my (rather long) post above. Otherwise, what lammbo suggests is fine.

Assuming you still need to go with the longer option, as for the security policy rules that you suggest:

intranet | ext_ip1 | any | accept
intranet | ext_ip2 | any | drop <===== Not req'd if you have a Cleanup
__ANY_ | ext_ip1 | any | drop <=====Not Req'd if you have a Cleanup
__ANY_ | ext-ip2 | any | accept.

On their own they are not enough, you DO have to configure NAT Objects, Manual NAT rules, and Proxy Arps

*OFF TOPIC* you might want to restrict the services, and not use "any"

[sebastan_bach]

hi mate thanks for ur reply. yeah i got what limboo was saying.

that is i could allow the intranet users to access internal users directly which i can achieve with auto static nat right. but when i want to map the internal host to multiple external ip's i guess manual static nat is the only option we have right.

thanks a lot guys

coldark mate i guess i will have to built those 4 rules. cause as i told u for the internet my network object is actually any .so even though i have a cleanup rule at the end which i have actually.

when the intranet users try to access the ext_ip2 they will get access cause they get matched in the network object of any.

so to restrict the intranet users to access only by ext_ip1 and the internet users to access only by ext_ip2.i guess i will need those 4 rules.

what do u say.

mate thanks a lot once again. learning checkpoint with people like u guys in the forum it;s fun and easy.

thanks to all.

regards

sebastan

[lammbo]

Quote:

Originally Posted by sebastan_bach

coldark mate i guess i will have to built those 4 rules. cause as i told u for the internet my network object is actually any .so even though i have a cleanup rule at the end which i have actually.

when the intranet users try to access the ext_ip2 they will get access cause they get matched in the network object of any.

so to restrict the intranet users to access only by ext_ip1 and the internet users to access only by ext_ip2.i guess i will need those 4 rules.

Actually, since the rulebase is checked for a match sequentially, as long as the Intranet users' rule is first, it will match there and not continue to the next rule for SRC = Any that matches the second Public IP.

I believe this is the point coldark was making.

Edit: This may also cause you some issues with outbound traffic as well though since the NAT rules are also processed sequentially. You must insure that the manual NAT rules you put in place NAT both ways to Internal subnets only and this NAT must be above the public NAT. Then, on your public NAT rules, you can use any as a SRC so external connects will also NAT back on the correct IP (Public_NAT2).

[sebastan_bach]

hi mate thanks for ur reply.

but i tried as u said.

with the first rule permitting from intranet to the ext_ip1 .my next rule is permit internet that is any to ext_ip2. third is a cleanup rule.

with this the intranet is able to access both the ext_ip1 and ext_ip2 as well.

i guess checkpoint matches both the sources and destination in the rule base and not just the source in the rules.

cause in the fw log i can see that when intranet is accessing the ext_ip2 it matches the second rule.

the rule base which u mentioned to me is not working man .

and right now my policies are only for permitting form external networks to my internal hosts on the natted ip.

regards

sebastan

[lammbo]

Ahh yes, you are correct, my mistake. The Destination is different in the second rule so if they have a link to the second public IP, it would still work, but it would be an issue with NAT still.

So instead of an explicit block rule, you could change the SRC = Any in the second rule to be SRC = (Negated) Intranet and the rulebase will be cleaner. The NAT sequence still applies.

[coldark]

Couple Points:

1) Sorry - yes again I kinda assumed that you knew that rulebase rules were dealt with sequentially - if a rule is matched then the action for that rule is taken and thats it - it DOES NOT match any further rules. Note1

2) And yes - silly me Intranet does match the "any | Ext_Ip_2 | Acc" Rule - so do as lammbo suggests and have

__intranet | ext_ip1 | any | accept
X Intranet | ext-ip2 | any | accept <===== the negated cell is made by using the intranet object in the SRC column and then R.Click selecting "NEGATE CELL"

3) Just a point on what I was mentioning earlier - all my info was designed for traffic ORIGINATING from either Intranet_Users or Internet_Users. This is called Static Destination mode. What I have created is correct imho (with the exception of point (2) above) :-) .

You only need the "reflexive" rules if traffic will be ORIGINATING from the Internal_Host - which I assumed would not be happening (this new situation being Static Source Mode).

Remember, with Firewall-1 replies are Stateful so they do not need an explicit rule to allow communication.

Note1: There is only one exception to that statement - which only arise when using user authentication ;-)

[sebastan_bach]

hi mate thanks a lot for ur replies. yeah my scenario was for connections going from the external to internal so no explicit rules required for return traffic from internal to external. my setup is working as required now.

but now i also want to the internal host to send traffic to the intranet and the internet as well.

now since i am using auto static nat whenever the internal host is sending traffic to the external network where both the intranet and internet are present the host is always translated to the static ip specified.

is there a way that i can configure that when my internal host sends traffic to the intranet it should always look like ext_ip1 and when it sends traffic to the internet it should always look like ext_ip2.

is this possible with manual static nat.

what i am trying to achieve here is that when intranet is accessing the internal host on ext_ip1 so when internal host sends traffic to the intranet it should be translated to the same ext_ip1 .

similarly when internet users access the internal host on ext_ip2 similarly when internal host sends traffic on the internet it should always be natted to ext_ip2.

this is generally what happens in cisco and netscreen.

since the static configuration is cisco in symmetric we do not need 4 rules like we needed out here in checkpoint.

guys is the above requirement possible using manual static nat.

waiting for ur reply buddies.

thanks a lot.

regards

sebastan