topic NAT Source Port manipulation in Firewall and Security Management

NAT Source Port manipulation

H2-F1 — Wed, 08 Jul 2020 16:44:50 GMT

Hello Checkmates

I'm currently dealing with an issue for a client and need some guidance from the community.

I have attached a diagram showing the traffic flow. which I have summarised below:

The client establishes a site to site VPN from their location C to their location A. All traffic flows through a Checkpoint Firewall running R80.x (think of it like we are their ISP), at the point of exit we NAT the traffic from their source IP (C) to ours (B) as well as change the source port number to Y.

The issue is that when the VPN fails for any reason and reestablishes, it is renatted to a different source Port (Z) which is seen as a new tunnel at the destination and this breaks the clients communication as all comms should remain on the original port (Y).

The question: Is there a way to set a NAT or anything else on the firewall that woud say, if traffic is sourced from IP address C then use permanently source port Y. I suspect that I would also have to put some sort of reservation on that port so that it is not used. but I'm not sure that this is possible.

Any insights/thoughts would be appreciated.

Thanks

Re: NAT Source Port manipulation

PhoneBoy — Wed, 08 Jul 2020 23:17:39 GMT

Unfortunately, the diagram doesn't really clarify the situation at all.

Is Site C terminating VPN on Site B or only going through Site B to terminate on Site A?
Also, are you doing a static NAT or a hide NAT?
Because a static NAT would not change the source port at all from what the client specifies.
When you are doing a hide NAT, you have zero control over the source port and can't specify/change it to suit your desires.

Re: NAT Source Port manipulation

H2-F1 — Fri, 10 Jul 2020 11:01:10 GMT

Hi Dameon

the VPN is initiated by Site C goes through Site B where it is natted (Hide NAT) and terminates on Site A. Based on the information you provided we would need to change the nat to a static NAT.

Would you know if there is a way to do a dynamic nat pool, the address wouldn't be a 1-to-1 but for that session + x Hours it wouldn't change (like a DHCP lease), if the session drops for more than an hour it'll pick up the same public IP again when it reconnects.

Re: NAT Source Port manipulation

PhoneBoy — Fri, 10 Jul 2020 18:05:23 GMT

There is IP Pool NAT available, but I don't think the timeout is adjustable and, offhand, not sure what the timeout is.
Enable it in Global Properties:

Then you can change the settings in the relevant gateway object:

Re: NAT Source Port manipulation

H2-F1 — Fri, 10 Jul 2020 18:17:46 GMT

Excellent,

The article you referred shows that the IP NAT Pool timer is configurable. I will give this a try and let you know how we get on.

Thank you.