Question on managing a Checkpoint 1120 behind a NAT Gateway

**blittrell** · 2014-05-21

Hi All,

I have a situation where we have a Checkpoint 1120 behind a DSL modem, this modem does NAT however we did set it to forward all ports to the Internal checkpoint. I can initiate SIC from the SMS server and it comes back trusted however the firewall itself is showing it is in pending state.

I am trying to figure out if there is a more elegant way to do this without doing multiple NAT instances in front of the gateway.

Anyone know of a good way to do this?

FYI, I suspect the issue is with the 1120 sending it's external IP with is a non-routable NAT'd interface along with the connection, this is causing the management server to either discard the packet or ignore it, please correct me if I am wrong.

Thanks

**melipla** · 2014-05-21

Originally Posted by blittrell

I am trying to figure out if there is a more elegant way to do this without doing multiple NAT instances in front of the gateway.

FYI, I suspect the issue is with the 1120 sending it's external IP with is a non-routable NAT'd interface along with the connection, this is causing the management server to either discard the packet or ignore it, please correct me if I am wrong.

Well there's just the one NAT (the port forwarding), right?

I think you can do it, particularly if it's not a Dynamic IP DSL modem. For the gateway object you'd use the DSL IP. For the topology you'd use the internal non routable addresses. For the IPSec VPN - Link Selection, you'd pick STatically NATed IP and then use the DSL modem address.

My concern would be the DSL router filtering out the IPSec traffic inadvertently.

HTH

**blittrell** · 2014-05-22

I was hoping that would be the case but I do not think it is. The gateway IP is the public address and the topology shows the internal IP however I am unable to establish SIC from the remote firewall, I can initiate from the SMS to the gateway but not from the gateway to the SMS. So the SMS is saying it is trusted but the firewall is showing that it is pending.

I suspect the SIC negotiation encapsulates the WAN IP in the packets and when the SMS gets those packets it is looking into the packet, sees the interface it came from does not match the public IP and drops it. Does that make sense or do I have this thing all wrong?

thanks

**jflemingeds** · 2014-05-22

I would look at the docs for the inet modem. I would check it to see if there is a way to change the configuration to bridge mode instead of router mode. If you don't have docs i would call the ISP that provisioned the modem. I think this is a pretty basic feature so i'm thinking it should be very possible. In bridge mode the edge should get the Inet IP and then you don't need to do any nating / port forwarding.