Document ID: 17662
Contents
Introduction
Prerequisites
Requirements
Affected Products
Affected Versions
More Information
Related Information
Introduction
The Checkpoint Firewall that does Network Address Translation (NAT) has some strange routing that needs to be set up on the firewall and on the Internet router.
Prerequisites
Requirements
There are no specific requirements for this document.
Affected Products
900i, 1200i, 1220i, 1250i, 1270i, 2600i, 2900i, 2200R, 2220R, 2250R, 2270R, 3500R, 3800R, VSR-2 and VSR-8
Affected Versions
All versions
More Information
The Internet router is connected to the Internet through its WAN port most likely, and the Ethernet 0 port connected to the Checkpoint through a hub or crossover cable. Any external address (from the Ethernet network shared between the router and firewall) that the Checkpoint uses must have a host route on the Internet router. Also, the Checkpoint also has to have the same routes in its own configuration that points at its own external IP address.
For instance, if the Internet router has an Ethernet 0 address of 204.144.171.1 and the Checkpoint is at 204.144.171.2 and the Checkpoint is also doing NAT for 204.144.171.3 and 4, these are the routes you need. On the Internet router, the routes are:
-
Destination 204.144.171.3
-
Mask 255.255.255.255
-
Gateway 204.144.171.2
and
-
Destination 204.144.171.4
-
Mask 255.255.255.255
-
Gateway 204.144.171.2
You also need the exact same routes in the Checkpoint configuration along with its required NAT sections. It sounds strange and does not follow normal routing standards, but it is the way it works.
Related Information
| Updated: Oct 04, 2005 | Document ID: 17662 |