CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 5 of 5

Thread: Gateway as a Proxy - NAT Hiding Address Selection

  1. #1
    Join Date
    2017-09-26
    Location
    New Zealand
    Posts
    6
    Rep Power
    0

    Default Gateway as a Proxy - NAT Hiding Address Selection

    I am running a Gateway Cluster as an HTTP/HTTPs Proxy in Non-Transparent Mode.
    On this gateway cluster, we have an external interface and another interface that connects to a DMZ (plus multiple internal interfaces / sync / etc).

    Historically we ran separate Proxy Servers on the inside (Trend Micro).
    We NATted these connections outbound to a fixed IP address in our DMZ range.
    The idea being that if we changed Internet providers or were forced to change external IPs, we would not have to change the hiding address (as it comes from within our own DMZ range).

    With multiple companies that we interact with, they now expect our clients to come from our fixed DMZ hiding address.
    And they filter out all other attempting to reach their dedicated portals or EDI interfaces, etc.
    Since activating the HTTP/HTTPS Proxy, I see that we are exiting the firewall using the External IP address - not our DMZ hiding address.

    Luckily I still have the internal Trend Micro Proxy Servers to maintain operations - for now.
    I am faced with having to identify and contact each one, to advise of an additional valid external IP address.

    Is there any way to change this operation?

    This is an HA Cluster, running Gaia R77.30 Take 286 (Open Servers).

    Cheers,
    Steve

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: Gateway as a Proxy - NAT Hiding Address Selection

    When using the Proxy then you make a connection to the Gateway, the gateway then makes a new connection from itself to the end destination on the Internet.

    As such the traffic won't match rules where the Source is the Internal Networks etc as won't be that Source.

    Do you need to use the Firewall as a Proxy as in Is it not the Default Route out of the Network?

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: Gateway as a Proxy - NAT Hiding Address Selection

    Quote Originally Posted by sshaw View Post
    I am running a Gateway Cluster as an HTTP/HTTPs Proxy in Non-Transparent Mode.
    On this gateway cluster, we have an external interface and another interface that connects to a DMZ (plus multiple internal interfaces / sync / etc).

    Historically we ran separate Proxy Servers on the inside (Trend Micro).
    We NATted these connections outbound to a fixed IP address in our DMZ range.
    The idea being that if we changed Internet providers or were forced to change external IPs, we would not have to change the hiding address (as it comes from within our own DMZ range).

    With multiple companies that we interact with, they now expect our clients to come from our fixed DMZ hiding address.
    And they filter out all other attempting to reach their dedicated portals or EDI interfaces, etc.
    Since activating the HTTP/HTTPS Proxy, I see that we are exiting the firewall using the External IP address - not our DMZ hiding address.

    Luckily I still have the internal Trend Micro Proxy Servers to maintain operations - for now.
    I am faced with having to identify and contact each one, to advise of an additional valid external IP address.

    Is there any way to change this operation?

    This is an HA Cluster, running Gaia R77.30 Take 286 (Open Servers).

    Cheers,
    Steve
    Sounds like hide nat rule might work. I'm not sure if there are cases where you're VIP needs to be used else where, but for example this would only change your src nat for a given services (untested).

    nat rule 1:
    original
    src: firewall1_External_IP
    dst: any
    service: http,https,etc

    translated
    src: Old_Proxy_IP
    dst: original
    service: orginal


    nat rule 2:
    original
    src: firewall2_External_IP
    dst: any
    service: http,https,etc

    translated
    src: Old_Proxy_IP
    dst: original
    service: orginal

    Kind of feels hackish though. Another option would be to get a new firewall to be the proxy server but thats spendy foldies talk.

  4. #4
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,147
    Rep Power
    13

    Default Re: Gateway as a Proxy - NAT Hiding Address Selection

    Don't forget you also need 1 more NAT rule for the cluster IP as well.
    Next to that ALL traffic from the gateway itself will also be hidden behind the hide address, ie when you use snmp traps through the external IP.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: Gateway as a Proxy - NAT Hiding Address Selection

    I was thinking you wouldn't need the VIP since the connection starts from the firewall node and would match a cluster fold. I also said to use services so other things wouldn't be high jacked. Also. Also also ( so many)y nat rules assume a node object not the firewall object.

    Again all untested to keep that in mind.

Similar Threads

  1. Gateway Selection in E75.30 after Gateway Upgrade to R75.46
    By Hazmats in forum Endpoint Security Product (E80 and All That)
    Replies: 2
    Last Post: 2013-11-19, 03:30
  2. Externally Managed Gateway, Link Selection
    By avilT in forum SmartDashboard
    Replies: 0
    Last Post: 2013-06-14, 01:20
  3. IPsec source address selection
    By shukalo83 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2012-05-23, 13:25
  4. Gateway selection
    By gskorski in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-10-12, 13:25
  5. Site-to-site VPN: main address and link selection
    By strion in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2006-05-05, 08:13

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •