Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT problem

Status
Not open for further replies.
Barbahrooba

Barbahrooba

Technical User
Oct 23, 2002
8
0
0
US
et me illustrate the scenario a bit.

I have a computer with Check Point installed and 2 NICS. (1 NIC with the legal ip address from my ISP and the other ip address for my internal LAN). I'm using a DSL modem and getting a dynamically assigned IP address from my provider.

I have a connection running from the DSL modem to the NIC card that has the IP address given to me by the ISP. I have the other connection running from the 2nd NIC to a switch. My other computer is also connected to the switch. I put the legal IP's address in the gateway and can ping the other computer's internal address but not the legal IP.

My Check Point rule base is simple with the following rules:

1) Stealth rule dropping any packets coming into the firewall from the outside
2) Allow all traffic within the internal LAN
3) Cleanup rule to explicitly drop all other traffic

I've verified this rule base and installed it with no errors.

I still can't figure out though why I can't get to the internet on the 2nd computer.

Any ideas?

Also, I'm not sure if I have the IP settings correct on my 2 computers. The computer that has 2 NICS and is running Firewall-1 has a configuration similar to this:



COMPUTER #1 (Check Point) COMPUTER #2

NIC# 1 NIC

IP Address: 151.204.137.42 IP: 192.168.129.3
Subnet Mask: 255.255.0.0 Subnet: 255.255.255.0
Gateway: 151.204.137.42 Gateway: 192.168.129.5

PPP ADAPTER

IP Address 151.204.137.42
Subnet Mask 255.255.0.0
Gateway 151.204.137.42

NIC# 2

IP Address 192.168.129.5
Subnet Mask 255.255.255.0
Gateway 192.168.129.5



I can ping to and from the 2nd computer but can't get to the internet.
Do I need a 2nd valid ip for this setup to work? I'm pretty sure my very short rule base is correct. Any ideas? Thanks in advance!

Signed,
Lost in Check Point land

barbahrooba@hotmail.com
 
Sort by date Sort by votes
I was browsing through the previous Check Point posts and came across this one that seems very similar to my problem. I"m just not clear on what he did to solve his problem? Removed the gateway? ...WHY?
 
Upvote 0 Downvote
I was browsing through the previous Check Point posts and came across this one that seems very similar to my problem. I"m just not clear on what he did to solve his problem? Removed the gateway? ...WHY?

thread32-8000
 
Upvote 0 Downvote
a couple of things wrong
first the second nic doesnt need a gateway (and definatly not itself)

i dont know what palatform it is running on but IP forwarding needs to be enabled on Windows systems.

for the internal network a NAT needs to be set up to give it an external IP address.

this can be done on the network object
select NAT and if you only have one valid IP address use hide behind gateway address

A rule need to be set up for internet traffic
internal network - any - http,https,....... - accept

looking at the logs will tell you what other ports are required for your perticular access (i strongly advise not using any for the service as this allows communication on any port and gives no defence against trojans)
 
Upvote 0 Downvote
thanks for the response.

I took out the gateway on the internal NIC configuration and I've enabled IP routing from the check box in TCP/IP properties (I'm running NT 4.0). Still nothing.


IF I hvae 2 NICS in a computer running Firewall-1, 1 NIC has the ip address of the internal LAN empty gateway. What should the IP address and gateway of the 2nd NIC that's directly connected to the cable or DSL modem be?

This is a sample of my configuration.

NIC #1 (internal)

IP: 192.168.129.1
Subnet: 255.255.255.0
Gateway:



PPP WAN Adapter

IP: 152.204.53.132
Subnet: 255.255.0.0
Gateway 152.204.53.132


NIC #2 (external)

IP: ???
Subnet: ???
Gateway: ???



-Calvin
barbahrooba@hotmail.com
 
Upvote 0 Downvote
i am not sure of the purpose of the PPP wan adapter is it isnt needed here (i think, someone correct me if i am wrong)

the external Lan connection should have the valid IP address you were given by your isp and the DSL routers IP address as its gateway
 
Upvote 0 Downvote
THAT is the million dollar question. When I connect my computer to my DSL modem how do I know what my "valid IP address" is if it's not the info from the PPP WAN Adapter area when I do an 'ipconfig /all' ?

My scenario is the same as seen on page 299 of the 'Essential Check Point Firewall-1' book (minus mail/web server).

Thanks for the response!
 
Upvote 0 Downvote
this is cheating :) and a little naughty but if you can download a utility called GFI languard network scanner (Its for Windows) from then load it onto a machine connected to the same hub as the router then scan for all machines in the same Address range. 152.204.53.0 - 152.204.53.255 (i know your subnet mask is 255.255.0.0 but hopefully the router will be in this range) if not you could always ask the supplier of the DSL link for its IP address
 
Upvote 0 Downvote
I have been dealing with this delima for almost a year. I wish I had an answer for you as well. I wound up going to W2K and doing some serious configuration changes. If you have any luck, please let me know. I have come to the conclusion that this client is a complete IT mangaers nightmare! Just say NO to Securemote!
 
Upvote 0 Downvote
I did try to call up my provider (Verizon) and try to get their router's ip address so I can add it to the settings as my default gateway. However, they claimed they wouldn't know the ip address of that particular router I'm connecting to because everything is dynamic. Are they blowin' smoke up my butt or should I be able to get this information from them?

Thanks Piloria...I'll look into that.
 
Upvote 0 Downvote
Hi Barbahrooba,

It seems there is no serious problem. All you have to do is check for this ...


Actually your external interface is not an Ethernet card. Because you are using DSL modem connection. So, the External Interface of your firewall is PPP Adapter which is the Serial port.

Then whe you are going to use the serial as your external interface there is no need for External interface ethernet card. Only one ethernet card is needed as internal interface.

External Interface PPP Internal Interface Ethernet

150.xx.xx.xx 192.xx.xx.xx

Here you have to listen that your external interface ip address is dynamic and it gets changed at every new connection. So, ensure the ip address at the ext int and in the Workstation properties of a host or Network properties of the internal network click on the NAT and give the Valid ip address in hide mode.

Note: If you are providing the extr int ip address for hide mode natting the stealth rule any to the firewall should not be there.Because the reply for your request will be dropped in the firewall ext int.

I think this can help you.

Regards,

P.Nagaraj
 
Upvote 0 Downvote
If I did this...where would I connect the cat 5 cable that's connected from my DSL modem? Currently it's connected from the DSL modem to the external nic on the firewall computer.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
49
steve777777
steve777777
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
42
ITSUPPORTIT
ITSUPPORTIT
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
37
wrighbr1
wrighbr1
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
39
mattbarkerlfc
mattbarkerlfc

Part and Inventory Search

Sponsor

Back
Top