[FW-1] Enable overlapping NAT (one for the experts ;-))

Subject:	[FW-1] Enable overlapping NAT (one for the experts ;-))
From:	Robby Cauwerts <robby.cauwerts AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 30 Aug 2006 11:09:32 +0200

Hi,

I've have the following setup:
(notice that LAN A and LAN  B have the same network range)

HOST A 192.168.254.50
|
LAN A 192.168.254.0/24    (overlapping NAT range 192.168.249.0/24)
|
|
192.168.254.1(eth1)
ROUTER A
192.168.251.2 (eth2)
|
|
192.168.251.1(eth1)
Check Point FW R60  192.168.252.2 (eth3) ----- to internet router 192.168.252.1
192.168.254.1(eth2)
|
|
LAN B 192.168.254.1
|
HOST B 192.168.254.2      (static NAT to 192.168.250.2)

And the following NAT addresses:
overlapping NAT range for LAN A: 192.168.249.0/24
Static nat for a server on LAN B: 192.168.254.2 <-> 192.168.250.2

Hosts on LAN A need to setup a connection to hosts on LAN B. But as
you can see LAN A and LAN B have the same network ranges.

Using GuiDBedit I've modified the following parameters for eth1 on the
Check Point FW:
- enable_overlapping_nat -> TRUE
- overlap_nat_dst_ipaddr -> 192.168.254.0
- overlap_nat_netmask -> 255.255.255.0
- overlap_nat_source_ipaddr -> 192.168.249.0

+ a route for 192.168.249.0 to 192.168.251.2 (eth2 ROUTER A) on the
Check Point FW

This is based on a more-or-less similar setup in the R60 Firewall
guide (overlapping NAT section)

So if host 192.168.254.50 on LAN A want to setup a connection to
192.168.250.2 (static nat to host 192.168.254.2 on LAN B) the
following should happen on the Check Point FW:


eth1 - before NAT     src addr: 192.168.254.50      dst addr: 192.168.250.2
eth1 - after NAT        src addr: 192.168.249.50      dst addr: 192.168.249.2
packet leaves eth2 to 192.168.249.2

But what I see is:
eth1 - before NAT     src addr: 192.168.254.50      dst addr: 192.168.250.2
eth1 - after NAT        src addr: 192.168.249.50      dst addr: 192.168.240.2
packet leaves eth3 (default gw) to 192.168.249.2

So the modified overlapping NAT parameters for eth1 are working (see
Xlated src addr) but not the static NAT and the routing.

Has someone a similar -working- setup?

With a cisco router this can be done :
http://www.cisco.com/warp/public/556/3.html
How about Check Point?

Kind Regards.

Robby

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Enable overlapping NAT (one for the experts ;-)), Robby Cauwerts <= Re: [FW-1] Enable overlapping NAT (one for the experts ;-)), chkp tech Re: [FW-1] Enable overlapping NAT (one for the experts ;-)), Robby Cauwerts Re: [FW-1] Enable overlapping NAT (one for the experts ;-)), chkp tech

Previous by Date:	Re: [FW-1] R60 HFA04 now available, Reinoud Koornstra
Next by Date:	Re: [FW-1] R60 HFA04 now available, cisco4ng
Previous by Thread:	[FW-1] R60 HFA04 now available, Ray
Next by Thread:	Re: [FW-1] Enable overlapping NAT (one for the experts ;-)), chkp tech
Indexes:	[Date] [Thread] [Top] [All Lists]