Hi, Thanks for the response but... This is *not* a vpn setup. So no encryption domain etc... It's a setup where *one* firewall has the same subnet on two interfaces.
Kind Regards. Robby On 8/30/06, chkp tech <[EMAIL PROTECTED]> wrote:
Greetings, It is possible to do this, and you'll need to NAT both sides of the traffic. Whatever you NAT the addresses behind, you will need to make sure that the firewalls have a route for the address. Basically what you'll setup is a 10 to 10 NAT (Both directions NATed). Check Point firewalls look at the source, destination, and encryption domain to determine whether or not a packet needs to be encrypted. Jason On 8/30/06, Robby Cauwerts <[EMAIL PROTECTED]> wrote: > > Hi, > > I've have the following setup: > (notice that LAN A and LAN B have the same network range) > > HOST A 192.168.254.50 > | > LAN A 192.168.254.0/24 (overlapping NAT range 192.168.249.0/24) > | > | > 192.168.254.1(eth1) > ROUTER A > 192.168.251.2 (eth2) > | > | > 192.168.251.1(eth1) > Check Point FW R60 192.168.252.2 (eth3) ----- to internet router > 192.168.252.1 > 192.168.254.1(eth2) > | > | > LAN B 192.168.254.1 > | > HOST B 192.168.254.2 (static NAT to 192.168.250.2) > > And the following NAT addresses: > overlapping NAT range for LAN A: 192.168.249.0/24 > Static nat for a server on LAN B: 192.168.254.2 <-> 192.168.250.2 > > Hosts on LAN A need to setup a connection to hosts on LAN B. But as > you can see LAN A and LAN B have the same network ranges. > > Using GuiDBedit I've modified the following parameters for eth1 on the > Check Point FW: > - enable_overlapping_nat -> TRUE > - overlap_nat_dst_ipaddr -> 192.168.254.0 > - overlap_nat_netmask -> 255.255.255.0 > - overlap_nat_source_ipaddr -> 192.168.249.0 > > + a route for 192.168.249.0 to 192.168.251.2 (eth2 ROUTER A) on the > Check Point FW > > This is based on a more-or-less similar setup in the R60 Firewall > guide (overlapping NAT section) > > So if host 192.168.254.50 on LAN A want to setup a connection to > 192.168.250.2 (static nat to host 192.168.254.2 on LAN B) the > following should happen on the Check Point FW: > > > eth1 - before NAT src addr: 192.168.254.50 dst addr: > 192.168.250.2 > eth1 - after NAT src addr: 192.168.249.50 dst addr: > 192.168.249.2 > packet leaves eth2 to 192.168.249.2 > > But what I see is: > eth1 - before NAT src addr: 192.168.254.50 dst addr: > 192.168.250.2 > eth1 - after NAT src addr: 192.168.249.50 dst addr: > 192.168.240.2 > packet leaves eth3 (default gw) to 192.168.249.2 > > So the modified overlapping NAT parameters for eth1 are working (see > Xlated src addr) but not the static NAT and the routing. > > Has someone a similar -working- setup? > > With a cisco router this can be done : > http://www.cisco.com/warp/public/556/3.html > How about Check Point? > > Kind Regards. > > Robby > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
