General discussion

Locked

Hide NAT aka Public IPs behind a firewal

By STURNER ·
I really need help here! lol

I run a network with the private 192.x.x.x subnet behind a firewall. A company that we are beginging to do work with requires us to VPN to them via our firewall to their Checkpoint system.

According to them our internal network has to have a routable IP scope. So hince my need for help!

How do I determine my scope? My intial thought was that I could use any IP's I wanted (becasue it is behind a firewall) so I simply subnetted my public proxy ip (using a subnet calc) and implemented it. The caveot here is that if you try to go across the vpn it ping, DNS returns the name of the company that really owns the IP's I am trying to use behind the firewall.

So can anyone help and give me some direction here? PLease! Is there a block of IP's set aside for this type of issue that are routable but not used on the Inet?

Help Help Help

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Hide NAT aka Public IPs behind a firewal

by curlergirl In reply to Hide NAT aka Public IPs b ...

If you are running the Checkpoint SecuRemote client you should not have to change your internal IP addresses at all. I have done this at one of our clients, and although I had the same reaction initially from the company that was using Checkpoint, this is not the case. There are certain ports that you have to be sure are open on your firewall, but other than that, you should not have any problem. I believe the only two ports you need open to be able to authenticate with a Checkpoint server are UDP port 1434 and TCP port 1723. I also have some other ports open on my firewall for this connection, but I think they are for the Citrix client we are using. At any rate, if just having those two open doesn't work, try opening these other ports: TCP 256 and 259 and UDP 259, 500 and 2746. These last series of ports I have open on my firewall ONLY for their Checkpoint server's public address. If you still have questions or problems, post back with more info and I'll look at it again. Hope this helps!

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

Ok, I do not run the check point firewall. The other company does and therefore I have to config my network to meet their needs ($$$) therefore if they insist that I run a routable IP scheme on my network and then that is what is going to be done. I am looking for help in setting up a routable IP scheme on a network and the questions listed above. This also has nothing to do with the securemote client as this is a firewall to firewall configuration.

Thanks for trying to help and taking the time to respond

Collapse -

Hide NAT aka Public IPs behind a firewal

by curlergirl In reply to Hide NAT aka Public IPs b ...

Maybe I am not at all understanding what you're trying to do - but if your internal network has to have a public IP addressing scheme, then you have to lease these IP addresses from your ISP, and your ISP has to establish DNS entries for those hoststhat will have public IP addresses. This is the only way they will be seen as public hosts. To put these behind a firewall, you have to abandon NAT and use the firewall proxy/router public IP address as the default gateway address for all your internal hosts so that they will be protected. NAT only works, as far as I know, with a public/private addressing scheme, not when all addresses are public. Hope this helps!

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

No, you can use any IP scheme you want private or public behind a firewall w/NAT because under NAT the real world ony sees your WAN IP on the firewall. Now if the client I am connecting too has a heavily routed network then you must use IP's that are "routable" so that the routers can pass them through. The usual suspects of private IP's (192.168, 172.168 and 10.0) are not routable IP's. So back to my question above, what would be an appropriate scheme for routable IP subnet behind a firewall. (i.e. so that DNS requests will not conflict with outside addressing as assigned by ISP's) and so on.

Collapse -

Hide NAT aka Public IPs behind a firewal

by leeicr In reply to Hide NAT aka Public IPs b ...

You are not going to get routable IP's unless you buy them from your ISP.

But who is connecting to who in this situation?, they to you or you to them?

And why did they say you needed them?

Lee

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

Then answer was that I do not need to use regitered IP's because most firewalls/VPN's will allow you to decide where you terminate the VPN (WAN/LAN/DMZ). There for by terminating on the WAN port, all of the internal addresses go across the VPN NAT'ed as the WAN Public IP

Collapse -

Hide NAT aka Public IPs behind a firewal

by STURNER In reply to Hide NAT aka Public IPs b ...

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums