Greetings, It is possible to do this, and you'll need to NAT both sides of the traffic. Whatever you NAT the addresses behind, you will need to make sure that the firewalls have a route for the address. Basically what you'll setup is a 10 to 10 NAT (Both directions NATed). Check Point firewalls look at the source, destination, and encryption domain to determine whether or not a packet needs to be encrypted.
Jason On 8/30/06, Robby Cauwerts <[EMAIL PROTECTED]> wrote:
Hi, I've have the following setup: (notice that LAN A and LAN B have the same network range) HOST A 192.168.254.50 | LAN A 192.168.254.0/24 (overlapping NAT range 192.168.249.0/24) | | 192.168.254.1(eth1) ROUTER A 192.168.251.2 (eth2) | | 192.168.251.1(eth1) Check Point FW R60 192.168.252.2 (eth3) ----- to internet router 192.168.252.1 192.168.254.1(eth2) | | LAN B 192.168.254.1 | HOST B 192.168.254.2 (static NAT to 192.168.250.2) And the following NAT addresses: overlapping NAT range for LAN A: 192.168.249.0/24 Static nat for a server on LAN B: 192.168.254.2 <-> 192.168.250.2 Hosts on LAN A need to setup a connection to hosts on LAN B. But as you can see LAN A and LAN B have the same network ranges. Using GuiDBedit I've modified the following parameters for eth1 on the Check Point FW: - enable_overlapping_nat -> TRUE - overlap_nat_dst_ipaddr -> 192.168.254.0 - overlap_nat_netmask -> 255.255.255.0 - overlap_nat_source_ipaddr -> 192.168.249.0 + a route for 192.168.249.0 to 192.168.251.2 (eth2 ROUTER A) on the Check Point FW This is based on a more-or-less similar setup in the R60 Firewall guide (overlapping NAT section) So if host 192.168.254.50 on LAN A want to setup a connection to 192.168.250.2 (static nat to host 192.168.254.2 on LAN B) the following should happen on the Check Point FW: eth1 - before NAT src addr: 192.168.254.50 dst addr: 192.168.250.2 eth1 - after NAT src addr: 192.168.249.50 dst addr: 192.168.249.2 packet leaves eth2 to 192.168.249.2 But what I see is: eth1 - before NAT src addr: 192.168.254.50 dst addr: 192.168.250.2 eth1 - after NAT src addr: 192.168.249.50 dst addr: 192.168.240.2 packet leaves eth3 (default gw) to 192.168.249.2 So the modified overlapping NAT parameters for eth1 are working (see Xlated src addr) but not the static NAT and the routing. Has someone a similar -working- setup? With a cisco router this can be done : http://www.cisco.com/warp/public/556/3.html How about Check Point? Kind Regards. Robby ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
