Solved: Connection between two different networks without NAT

VeselinAtanasov1966 · ‎10-03-2019

I want to connect the two networks through checkpoint and cisco 3750. Currently, several other networks in the organization (video conferencing, IP telephony traffic to servers in DMZ, etc.) are routed through cisco 3750.

I have made the scheme shown in a picture with two laptops to test.

This scheme should work, but I don't know why it doesn't work.

Can you help me! Where I am wrong?

Checkpoints rules:

source 10.0.0.0/22 destination 192.168.100.0/24 any service accept

source 192.168.100.0/24 destination 10.0.0.0.22 any service accept

VeselinAtanasov1966 · ‎10-08-2019

А very unexpected problem, but it has already been solved. thanks to everyone who wrote here.

View solution in original post

Deepak Kumar · ‎10-03-2019

Hi,

As I am understating that Route at Core switch (3750) is having an issue as:

Try with a new route: ip route 10.0.0.0 255.255.252.0 192.168.97.1

As Checkpoint is a reply for the ping then I can assume that checkpoint having correct routing and rules configuration. But you can below things on the checkpoint also (Sorry not expert in checkpoint so can't explain correct configuration):

Route for: 10.0.0.0/255.255.252.0

The rule for traffic allow for this subnet also.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

VeselinAtanasov1966 · ‎10-03-2019

I try the new routing, the result is the same.

One thing I cannot understand?

How I can ping from laptop with address 192.168.100.149 address 192.168.97.4 but I can't ping 192.168.97.1

Deepak Kumar · ‎10-03-2019

Hi,

Because your checkpoint is not having routes or policy.

https://dl3.checkpoint.com/paid/79/7916511f80908c3056af526bae304602/CP_R77_Firewall_AdminGuide.pdf?HashKey=1570100926_4c303b2df5acddbfad6dd4ea5c01563c&xtn=.pdf

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

VeselinAtanasov1966 · ‎10-03-2019

I have on checkpoint:

routing destination 192.168.100.148 /255.255.255.252 gateway 192.168.97.4

rules

source 10.0.0.0/255.255.252.0 destination 192.168.97.0/255.255.255.0 any services accept

source 192.168.97.0/255.255.255.0 destination 10.0.0.0/255.255.252.0 any services accept

source 10.0.0.0/255.255.252.0 destination 192.168.100.0/255.255.255.0 any services accept

source 192.168.100.0/255.255.255.0 destination 10.0.0.0/255.255.252.0 any services accept

source 192.168.97.0/255.255.255.0 destination 192.168.100.0/255.255.255.0 any services accept

source 192.168.100.0/255.255.255.0 destination 192.168.97.0/255.255.255.0 any services accept

Georg Pauwen · ‎10-03-2019

Hello,

did you remove:

ip route 10.0.1.208 255.255.255.252 192.168.97.1

before adding:

ip route 10.0.0.0 255.255.252.0 192.168.97.1

What is the configuration of the 3560 ?

Georg Pauwen · ‎10-03-2019

Hello,

how are the sync interfaces between both Checkpoints configured ? If you use a layer 3 switch for connecting them both, you need to make sure that the ports are 'switchports' and not routed ports...

VeselinAtanasov1966 · ‎10-03-2019

Checkpoints are in cluster with Checkpoint smart-1 5. cluster Mode High Availability

This is configuration on cisco ports:

interface Vlan97

description "To Core CheckPoint"

ip address 192.168.97.4 255.255.255.248

interface GigabitEthernet1/0/20

description "To Core 01 CheckPoint"

switchport access vlan 97

switchport mode access

spanning-tree portfast

interface GigabitEthernet1/0/22

description "To Core 02 CheckPoint"

switchport access vlan 97

switchport mode access

spanning-tree portfast

Giovanni Alexander Molina · ‎10-03-2019

Hi, try checking out if any implicit NAT is configured on the interfaces, i had a similar issue once and that was the issue.

VeselinAtanasov1966 · ‎10-04-2019

I checked, there is no NAT on the interfaces of Core Checkpoints.

I have two Core Checkpoints in cluster, transport network to the boarder CheckPoint where are NAT polices for internet access .

Currently network 10.0.0.0/22 communicates with network 192.168.100.0/24 through a border checkpoint with NAT.

I want to eliminate the connection through border checkpoint and connect the networks directly with routing over Core checkpoint.

These are the firewall rules on Core Checkpoints and Border Checkpoint

source 10.0.0.0/255.255.252.0 destination 192.168.97.0/255.255.255.0 any services accept

source 192.168.97.0/255.255.255.0 destination 10.0.0.0/255.255.252.0 any services accept

source 10.0.0.0/255.255.252.0 destination 192.168.100.0/255.255.255.0 any services accept

source 192.168.100.0/255.255.255.0 destination 10.0.0.0/255.255.252.0 any services accept

source 192.168.97.0/255.255.255.0 destination 192.168.100.0/255.255.255.0 any services accept

source 192.168.100.0/255.255.255.0 destination 192.168.97.0/255.255.255.0 any services accept

These are the NAT rules on Border Checkpoint

Source 10.0.0.0/22 destination 192.168.95.0/24 NAT 192.168.95.2

Source 10.0.0.0/22 destination 192.168.100.0/24 NAT 192.168.95.2

I can not understand what is happening!!!!

Routing table on Core CheckPoint:

Vlan 97 on Cisco 3750, Lan 192.168.97.0

Destination Netmask Gateway metric Interface

192.168.97.0 255.255.255.0 0 eth6

192.168.100.148 255.255.255.252 192.168.97.4 0 eth6

Eth6 > 192.168.97.1 ( cluster address)

Routing table on Border CheckPoint:

Vlan 95 on Border CheckPoint, Lan 192.168.95.0

Destination Netmask Gateway metric Interface

192.168.95.0 255.255.255.0 0 eth1-02

192.168.100.0 255.255.255.0 192.168.95.1 0 eth1-02

Eth1-02> 192.168.95.2

Eth1-02 is physical interface, expansion module on checkpoint

Cisco 3750

!

interface Vlan95

description "To Border CheckPoint"

ip address 192.168.95.1 255.255.255.252

interface Vlan97

description "To Core CheckPoint"

ip address 192.168.97.4 255.255.255.248

!

interface GigabitEthernet1/0/20

description "To Core 01 CheckPoint"

switchport access vlan 97

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/22

description "To Core 02 CheckPoint"

switchport access vlan 97

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/23

description TO BORDER CHEKPOINT

switchport access vlan 95

switchport mode access

As you can see everything is the same!!!

On Cisco > !

!

interface Vlan100

ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet1/0/2

description "Test Vlan 100 laptop"

switchport access vlan 100

switchport mode access

spanning-tree portfast

What happens when i try a ping from Cisco 3750

Ping to 192.168.97.1 – Yes, ping to 192.168.95.2- Yes

What happens when i try a ping from a laptop with an address 192.168.100.149

Ping to 192.168.95.1 – Yes, ping to 192.168.95.2 ---- YES

Ping to 192.168.97.4 – Yes, ping to 192.168.97.1 ???????? NOOOOO Why??????????? NO

VeselinAtanasov1966 · ‎10-08-2019

А very unexpected problem, but it has already been solved. thanks to everyone who wrote here.