CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 4 of 4

Thread: Question on managing a Checkpoint 1120 behind a NAT Gateway

  1. #1
    Join Date
    2014-05-18
    Posts
    6
    Rep Power
    0

    Default Question on managing a Checkpoint 1120 behind a NAT Gateway

    Hi All,

    I have a situation where we have a Checkpoint 1120 behind a DSL modem, this modem does NAT however we did set it to forward all ports to the Internal checkpoint. I can initiate SIC from the SMS server and it comes back trusted however the firewall itself is showing it is in pending state.

    I am trying to figure out if there is a more elegant way to do this without doing multiple NAT instances in front of the gateway.

    Anyone know of a good way to do this?

    FYI, I suspect the issue is with the 1120 sending it's external IP with is a non-routable NAT'd interface along with the connection, this is causing the management server to either discard the packet or ignore it, please correct me if I am wrong.

    Thanks

  2. #2
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    19

    Default Re: Question on managing a Checkpoint 1120 behind a NAT Gateway

    Quote Originally Posted by blittrell View Post
    I am trying to figure out if there is a more elegant way to do this without doing multiple NAT instances in front of the gateway.

    FYI, I suspect the issue is with the 1120 sending it's external IP with is a non-routable NAT'd interface along with the connection, this is causing the management server to either discard the packet or ignore it, please correct me if I am wrong.
    Well there's just the one NAT (the port forwarding), right?

    I think you can do it, particularly if it's not a Dynamic IP DSL modem. For the gateway object you'd use the DSL IP. For the topology you'd use the internal non routable addresses. For the IPSec VPN - Link Selection, you'd pick STatically NATed IP and then use the DSL modem address.

    My concern would be the DSL router filtering out the IPSec traffic inadvertently.

    HTH
    Its all in the documentation.

  3. #3
    Join Date
    2014-05-18
    Posts
    6
    Rep Power
    0

    Default Re: Question on managing a Checkpoint 1120 behind a NAT Gateway

    I was hoping that would be the case but I do not think it is. The gateway IP is the public address and the topology shows the internal IP however I am unable to establish SIC from the remote firewall, I can initiate from the SMS to the gateway but not from the gateway to the SMS. So the SMS is saying it is trusted but the firewall is showing that it is pending.

    I suspect the SIC negotiation encapsulates the WAN IP in the packets and when the SMS gets those packets it is looking into the packet, sees the interface it came from does not match the public IP and drops it. Does that make sense or do I have this thing all wrong?

    thanks

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    13

    Default Re: Question on managing a Checkpoint 1120 behind a NAT Gateway

    I would look at the docs for the inet modem. I would check it to see if there is a way to change the configuration to bridge mode instead of router mode. If you don't have docs i would call the ISP that provisioned the modem. I think this is a pretty basic feature so i'm thinking it should be very possible. In bridge mode the edge should get the Inet IP and then you don't need to do any nating / port forwarding.

Similar Threads

  1. Does Checkpoint Provider-1 support LDAP for managing the devices
    By cciesec2006 in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2013-11-18, 11:58
  2. 1120 Crashing on R75.20.26
    By Metza in forum Check Point Series 80/1100 Appliances
    Replies: 6
    Last Post: 2013-10-15, 13:15
  3. Managing gateway through smart center and destination NAT
    By Hussey in forum NAT (Network Address Translation)
    Replies: 0
    Last Post: 2012-06-28, 23:01
  4. Managing a gateway through Internet
    By manrag in forum Topology Issues
    Replies: 3
    Last Post: 2009-03-28, 21:44
  5. managing checkpoint a firewall over the internet
    By tkalas in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 3
    Last Post: 2008-04-24, 12:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •