PDA

View Full Version : Firewall-on-a-stick (with NAT)?



Kenny_NL
2007-12-04, 05:16
Would it be possible to use the firewall merely as a routing/natting device, with policy-rules to regulate traffic?

The problem is this:
We have a firewall-cluster with one subnet to connect partner-networks. This subnet is divided in private VLAN's on the (Cisco) access-switches. We want to connect a new partner (partnerA), to give it access to a server. The problem is, that this server is still located at partnerB, and NAT has to be used. This server will be at our location in the near future and then this issue will be resolved, but in the mean time we're kinda stuck with this.

The NATting will be done by the firewalls (R55), and it also has to route the packets. With this setup, there is only one interface used (the external one), because of the private VLAN-setup.

Does Checkpoint have the ability to do this, or would it be easier to connect PartnerA to a separate interface during this transition-period?

Any help would be appreciated...

mcnallym
2007-12-04, 10:22
You need to go through one interface and out the other to apply the security policy.

This could be a VLANned interface with the sub-interfaces as Check Point treats these as seperate interfaces. Each VLAN having it's own IP address. Whilst they are physically 1 interface Check Point sees each VLAN as a seperate interface, so you no longer have just one interface

However you could not have one interface with 1 IP address and that being the total interfaces and IP addresses.