CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > VPN's (Virtual Private Networks)
Setting up encryption to agree with NAT topology Setting up encryption to agree with NAT topology
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-14
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 582
Rep Power: 10
BarryStiefel has disabled reputation
Default Setting up encryption to agree with NAT topology
Setting up encryption to agree with NAT topology



What sort of thing do I need to look out for on system that use both encryption and address translation?



Answer For example, let say I have the following network:



netA --- (le0) firewallA (le1) -- internet --- (le0) firewallB (le1) -- netB netA is illegal: 10.1.1.0 le0: is 10.1.1.1 le1: is 192.91.18.1 netB is legal: 195.8.5.0 le0: 195.8.1.1 le1: 195.8.5.1

on firewallA: address translation
  • static: 10.1.1.2 192.91.18.2
  • hide: 10.1.1.3 to 10.1.1.255 -> 192.91.18.3

With IPSec, you can "tunnel" the private addresses through the VPN. The firewalls will encapsulate the private IP address traffic with the IP address of the firewall, so the Internet will only see traffic between routable addresses. To ensure that doesn't happen, add the following NAT rules above your others:



Source Destination Service NAT Source NAT Destination NAT Service 10.1.1.1 195.8.5.1 any ORIGINAL ORIGINAL ORIGINAL



If that's not possible, you can configure FireWall-1 in this manner.

Encryption Domain On firewallA, encryption domain for firewallA needs to have both:
  • illegal addresses: network 10.1.1.0,
  • and legal addresses: network 192.91.18.0

On firewallB, the encryption domain for firewallA needs to have only the legal addresses 192.91.18.2 and 192.91.182.3.



Encryption Rule on firewallA:

Source Destination Service Action Track Install On 10.1.1.0 195.8.5.0 their-services Encrypt Long Gateways 195.8.5.0 192.91.18.2 & 192.91.18.3 my-services Encrypt Long Gateways



As with any kind of address translation, the inspection module see the packets as the originator of the connection sees it. So for the first rule takes care of outgoing connection and the second rule takes care of incoming connection.

On firewallB, you also need two rules:

Source Destination Service Action Track Install On 192.91.18.2 & 192.91.18.3 195.8.5.0 guest-services Encrypt Long Gateways 195.8.5.0 192.91.18.0 some-services Encrypt Long Gateways



Notes that firewallB only knows about legal adresses.

A General Commment

In general, for a connection from A on netA to B on netB:
  1. packets are encrypted by firewallA
  2. address is translated by firewallA
  3. packets are decrypted by firewallB
  4. returned packets are encrypted by firewallB
  5. returned packets' address is translated by firewallA
  6. returned packets are decrypted by firewallA



-- RobertGraham - 14 Jan 2004

FAQForm FAQs.Class: EncryptionFAQs, NetworkAddressTranslationFAQs FAQs.OS: FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 00:25.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0