How to use checkpoint to NAT or PAT 1

[mdwu]

I am very very new to checkpoint. please provide help. This is how it's setup.

Public Ip address 209.10.10.5
Internal Ip of FW 10.0.0.1

Router A which interconnect the FW Subnet and the Interior Subnet Ip is 10.0.0.2

Router B which is the router that separate the internal network

Can I setup the FW to forward the proper services to the proper Server in the 192.168.x.x network. For example, my exchange mail server is 192.168.0.5. How does checkpoint know where to forward to, how do I set this up. Do I need to configure static route table at Router A or at firewall.
Thanks.

209.10.10.5
Checkpoint NG FW
Int. IP 10.0.0.1
|
|
Router A (10.0.0.2) |
|
|
Ext. IP 10.0.0.3
Router B
Internal Network (192.168.0.x)

 

[Piloria]

(not sure why you have router a with an internal and external address on the same network)

you will need a static route to the 192.168.0.0 network on the firewall pointing at router b (depending on why router a is there)

 

[mdwu]

Thanks Piloria.

My drawing did not show it...sorry
Our orginal company got brought out, so we are merging to the new copmany's network. We use 192.168.x.x and they use 10.x.x.x. For tech reason, we cannot use 10.0.0.0, so we have to keep the 192.168.x.x range.

My drawing did not show it...sorry
RouterA is actually a router for their subnet and the reason for it is because my corp company's doesn't route for 192.168.x.x range.

So on the firewall, I will have to create static route point to the 10.0.0.3 interface. what about the rule, how do i set the rule to allow email server services (smtp) and windows Terminal Server services which required port 3389

Thanks.

 

[Piloria]

you will need to set up two network objects for each of the two networks.
you will need an object for the mail server. i am assuming you are wanting this to accept incoming external email
if so you will need an external ip address for the mail server then in the mail server object you create
Host - Node
Network address - internal ip
NAT type - Static (use external ip address)

then create a rule that is
Source - Any
Destination - Mail Server
Service - SMTP
Action - Accept
Track - Log

for the terminal services you will need to create a new service. call it terminal_services and give it the port number 3389 (TCP service)

i am not sure where you are wanting to create access to terminal services from so i cant specify the source address(s) but set it up like the last rule.

 

[mdwu]

Thanks Piloria..you are awesome.
Please confirm if this is right...

Let say if my public ip for my mailserver is 209.10.10.10 and the internal is 192.168.1.5

then on the FW, do I create the rule and static table to point to 192.168.1.5 or do I make it point to 10.x.x.x that eventually point to 192.168.1.5

Thanks,

 

[Piloria]

let me know what platform you are using for the firewall

you need to create a static route on the firewall for the network 192.168.x.x this should point at the router that is visible to the firewall as it next hop (i assume that is router a)i am still not entirly sure as to what router a's external interface IP is as it only has one ip shown on your diagram)

on the firewall
the mail server object will have the 192.168.1.5 IP address and in its NAT tab it will have the 209.10.10.10

 

[mdwu]

Thanks Piloria

The checkpoint is installed on windows NT 4.0 server
Other question that I have, Do I need to assign additonal ip address on the external nic itself for static nat to work.

For example, right now the external nic is assign with 209.10.10.10. Let say if i have the valid ip 209.10.10.11 for my webserver, 209.10.10.12 for my email server. Do I need to assign the additional ip to the nic in windows network card TCP/IP properties. or if I add the static NAT info in Checkpoint and it will auto regonize and forward propropriatly.

right now, i have setup router B to NAT the 192.x.x.x subnet because if I didn't checkpoint gives me en error saying something about I am trying to spoof and drop all traffic.

Router A has only 1 nic card. It does it's route using static route table.

 

[Piloria]

for NAT the firewall handles all that - it listnes on any ip addresses that are set up in NAT. you dont need to do anything

as for natting the 192.168.x.x what you can do is set up a network object for the 192.168.x.x network on the firewall and another one for the 10.x.x.x then create a simple group object for both the two networks
in the topology tab of the firewall object select the internal interface and edit it then change its topology to
internal - specific - group object (networks)

this will then allow both the two networks to be valid on that interface

 

[mdwu]

Piloria,

I made the change and this is actually easier, but I still cannot provide external resources.

I added an extra nic to the FW. and give it the ip address 192.168.1.1. My subnet 192.168.x.x will use the FW as router+FW. So no more Router B.

Now, I follow your method of creating an object and use static NAT. This is a error that I got for while trying to access my webserver from outside.

FW-1 at firewal1. Failed to connect to the

http://WWW Server..

Any ideas

 

[Piloria]

can you ping from the firewall to the web server? (try both internal and NAT ips)
when you try to connect to the web server is the entry in the FW log an accept and on the correct rule?

 

[mdwu]

Thanks Piloria,

As you know My Windows Base Checkpoint FW has 3 nic card.
209.10.10.9 external interface
192.168.1.1 interface.
10.0.0.201 interface.

My problem now is how to perform 3 way NAT.
See below for new diagram. I need 192 subnet to be NAT by 209.10.10.9 when going internet and I need 192 subnet to NAT by 10.0.0.201 when access 10. subnet

Internet
|
Cisco Router
|
209.10.10.9 (external Interface)
FW
/\
(Interface)10.0.0.201 192.168.1.1(interface)
| |
| |
[3com Switch] {3com switch}
| | | |
RouterA-------| | | |
(10.0.0.2) | | (192.168.x.x subnet)
| |
| |
(10.0.x.x Subnet) |
|
|
|
(10.0.0.7)
Intranet router
|
|
{corp Intranet which comprise)
230.x.x.x
197.x.x.x


*All Routing on the 10. subnet is done by the RouterA static route table.*

Ok, if you can figure this out, you are real Guru Piloria.
FYI
1 - Access from 192.168.x.x to Internet----OK(ping,tracert)
2 - Access from 192.168.x.x to 10.0.x.x----OK(Ping,tracert)
3 - Access from 10.0.x.x to 192.168.x.x ---OK(Ping,tracert)

still having problem with
1 - Access from Internet to 192.168.x.x services (smtp, http, etc)

2 - As you see on the diagram, I have show another router call Intranet router. The router route any traffic for 230.x.x.x and 197.x.x.x which is the corp intranet. However, the problem is that they do not like 192.168.x.x range and will not route any traffic initiated from 192.168.x.x. and it will only route from 10.0.x.x

So basically, I need to do a 3 way route. Right now, in checkpoint object, when I go from 192.168.x.x, all the ip address is NAT to gateway ip, which is the 209.10.10.9. When I try to create another object to NAT 192.168.x.x using 10.0.0.201, it tells me that another object of the same ip range is already NAT.

Piloria, I need you help...so bascially problem is 1.To provide internal service to outside (smtp, http, https, etc)
and
2. To access the the Corp Intranet which doesn't 192.168. how can i NAT this using 10.0.0.201

Many Thanks.

 

[Piloria]

is there a reason why it doesnt like 192.168.x.x? or is it a routing problem.
you may find that the intranet router needs a static route for the 192 network. or does the intranet have a different default gateway?
you may find that as you have two routers in the 10 network that you will need a static route on both or just to ignore router a and put on the firewall a static route for the intranet ip ranges pointing at the intranet router and a static route on it for the 192 range pointing at the firewall.
(if your network traffic takes a different route from the firewall that it takes back again you may find that the firewall is giving out of state errors.

3 way nat is not possible (that i know of) so you willneed to try and find a way to get the 192 network to access the intranet.
on the network object do the NAT using your external IP

 

[Piloria]

you may be able to get round 3 way NATing by using manual NAT rules.
i am no expert on these having only done a few to stop NAT between internal networks

 

[mdwu]

Thanks.