Check Point NGX R60 IP Pool NAT for Clear (Non-VPN) Connections July 17, 2005

Transcription

1 Check Point NGX R60 IP Pool NAT for Clear (Non-VPN) Connections July 17, 2005 Overview In This Document Overview page 1 Configuration page 2 Examples page 3 Notes page 4 This document describes a new feature designed to enable IP Pool NAT for connections that are not encrypted/decrypted by the firewall gateway (for example, PPTP Clients or IPSec). IP Pool NAT for clear (non-vpn) connections will enable NAT N hosts using M IPs (N:M, where N > M). This is different from Static NAT which translates N:N IPs (from subnet to subnet), or Hide NAT which translates N:1 and does not support incoming connections. The motivation for this new IP Pool NAT feature arises from its advantages over Hide NAT and Static NAT. For instance, Over Static NAT: IP Pool NAT does not require an IP for every Natted host. Over Hide NAT: IP Pool NAT provides a unique IP per Natted host. Over Hide NAT: IP Pool NAT allows back-connections: incoming connections to the NAT address of the host. IP Pool NAT solution scenarios: NAT for protocols that are not supported by Hide NAT (meaning non-tcp/udp/icmp), such as IPSec. Servers and protocols that allow a single user per IP. Protocols that require support of back-connections, such as X-11. Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.

2 Configuration IP Pool NAT for clear (non-vpn) connections is relevant for NGX R60 and above. It should not be configured for older modules. Refer to the Firewall and SmartDefense User Guide, for the following advanced configuration topics: Priority of IP Pool NAT vs Static and Hide NAT. Configuration of different IP Pools on different GW interfaces. Re-usage of IPs from the pool for different destinations. Configuration To configure pool IP addresses, See Notes on page 4. or the Firewall and SmartDefense NGX R60 User Guide. To activate IP Pool NAT, define (in INSPECT) which clients will be Natted to which servers and which services apply NAT. When defining the INSPECT tables use the user.def.ngx_r60 file (in the management directory $FWDIR/conf) as follows: The Services tables should have the following format and any name (Optional): ip_pool_server_services = { <IP Proto, Low Port, High Port>,. }; The Server tables can be given any valid name, but they must be defined before the Clients table as follows: ip_pool_server_ips = { <First IP, Last IP ; Name of Services table - Optional>,... }; A single table holding IP ranges for the Clients must have the following name and structure: ip_pool_client_ips = { <First IP, Last IP ; Name of Servers table>, <First IP, Last IP ; Name of Servers table>,. <First IP, Last IP ; Name of Servers table> }; To use a single IP in both Server and Services tables, enter the IP as First IP and Last IP (that is, not <IP> or <IP ; >). To specify any IP use as First IP and as Last IP. Check Point NGX (R60) IP Pool NAT for clear (Non-VPN) Connections. Last Update July 17,

3 Examples Example 1: IP Pool NAT when Clients Connect to a Server Examples Example 1: IP Pool NAT when Clients Connect to a Server The following is a simple scenario of a server (for example, PPTP, ) on which IP Pool NAT is performed on clients connecting to this server from ip_pool_server_ips = { < , > }; ip_pool_client_ips = { < , ; ip_pool_server_ips>, < , ; ip_pool_server_ips> }; The example above results in IP Pool NAT of IPs # or # connecting to server Example 2: PPTP Servers and Different Client Networks The following is an example of a scenario with two PPTP servers and different client networks for each server: ip_pool_server_1 = { < , > }; ip_pool_server_2 = { < , > }; ip_pool_client_ips = { < , ; ip_pool_server_1>, < , ; ip_pool_server_2> }; Example 3: All Clients The following is an example of what occurs when ALL Clients are allowed access to a specific server: ip_pool_server = { < , > }; ip_pool_client_ips = { < , ; ip_pool_server }; Example 4: Allowing IP Pool NAT to any Destination The following is an example of allowing IP Pool NAT of a client network to any destination: ip_pool_all_servers = { < , > }; ip_pool_client_ips = { < , ; ip_pool_all_servers> }; Check Point NGX (R60) IP Pool NAT for clear (Non-VPN) Connections. Last Update July 17,

4 Example 5: IP Pool NAT and Services Notes Example 5: IP Pool NAT and Services The following is a services example that allows IP Pool NAT for internal clients (suppose 10.#.#.# network) and any server, for services IPSec (IPProto 50 + IKE) and PPTP (IPProto 47-GRE + PPTP Control-1723): ip_pool_services = { <50, 0, 0>, <17, 500, 500>, <6, 1723, 1723>, <47, 0, 0> }; ip_pool_server_ips = { < , ; ip_pool_services> }; Notes ip_pool_client_ips = { < , ; ip_pool_server_ips> }; IP Pool NAT can be configured on the firewall gateway in two places: Enabling IP Pool NAT using the GUI 1) Select Global Properties > NAT > Enable IP Pool NAT 2) Define a new Address Range or Network (or Group) for the IP Pool. 3) On the firewall gateway object > NAT > IP Pools: Associate the pool object with the gateway or to gateway interfaces (depending on the configuration). 4) Install the policy. Enabling IP Pool NAT using the INSPECT Table 1) Directly define the pool IPs in a table in the user.def.ngx_r60 file with the following format, where module is the name of the firewall gateway module. For Clusters add a table for each member: all@module xlate_pool = { <First IP, Last IP>, <First IP, Last IP>, }; 2) Install the policy. Note - Do not use both of the above methods, since it will cause an INSPECT compilation error. After an IP is allocated for a client, every connection from that client will be Natted the same way (regardless of destination or service), while the client is still using the allocated IP. IPs from the pool should be routed to the firewall (like Static NAT), either using manual ARP or by manual route. If there is Static NAT on the servers, the servers address in the tables should be their real IP addresses (that is, the IP addresses from their view), similar to how the servers address appears when there is no NAT. Only if global attribute NAT > Translate destination on client side (manual or automatic, depends on the defined server NAT) is off, the server address should be the client side NAT address. Check Point NGX (R60) IP Pool NAT for clear (Non-VPN) Connections. Last Update July 17,

5 Notes Example 5: IP Pool NAT and Services Unlike the Servers tables, INSPECT Tables, ip_pool_client_ips is a fixed name and should always be used. Servers tables should be defined before the Clients table. Check Point NGX (R60) IP Pool NAT for clear (Non-VPN) Connections. Last Update July 17,