topic Re: Port redirection not working? in Firewall and Security Management

Port redirection not working?

skandshus — Thu, 27 May 2021 20:31:36 GMT

So im having quite some issues regarding opening ports/creating nat rules for when i need to remotely access inside ressources on their default port, but using a different remote port.

Example down below:

Trying to access a Terminal-Server. where the usual port 3389 is not available. so its due to hit on port 8889 and then be translated to the inside server at port 3389.

When i check the firewall rule, traffic is allowed and i can also see hits, but nothing ever responds when trying to access it "outside"

Re: Port redirection not working?

the_rock — Thu, 27 May 2021 16:08:28 GMT

Seems like rule is being hit, if you do fw monitor, do you even see traffic working? Have you tried disabling securexl?

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 16:38:03 GMT

Since I am still in the learning phase of checkpoint I do not know what secureXL is.. and I see see it’s being hit.. if I do a wire shark capture on the terminal server then nothing arrives at it unless it’s local traffic.. so for some reason my GW isn’t forwarding the traffic..

btw what is fw monitor?

Re: Port redirection not working?

the_rock — Thu, 27 May 2021 16:43:50 GMT

This would be good place to check on it if you are not familiar, but in essence, its supposed to accelerate the traffic:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32578&partition=Advanced&product=SecureXL

In some cases, it could cause traffic issues, so one way to confirm, would be if you run fwaccel off on the gateways and then test again, no need to push the policy. To turn it back on, just run fwaccel on

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 17:16:46 GMT

Turning off SecureXL didnt make a difference 😞

Re: Port redirection not working?

the_rock — Thu, 27 May 2021 17:24:34 GMT

Ok, try this...fe ctl zdebug + drop | grep 3389

Message me privately, lets do remote later on.

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 17:26:27 GMT

THANK YOU!!!
Ill fire off the command NOW

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 17:51:43 GMT

And i've also sent you a private message

Re: Port redirection not working?

Wolfgang — Thu, 27 May 2021 18:51:22 GMT

Did you allow both IPs (original and translated destination) in your rule?

Are you aware of the returning packets, they should be NATed to seen external with the external IP.
And at last, has your terminalserver a route through the gateway to access the external world?

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 19:44:15 GMT

Hi Wolfgang.
about the retur packet.. would you care to show me an example by using the attached picture i had in the original topic?
I should have nat return though, but i could have made a mistake..
My terminalserver can access the internet perfectly.. and its hidden behind nat

Re: Port redirection not working?

Wolfgang — Thu, 27 May 2021 19:54:17 GMT

The shown picture is only a rule for NAT. You have to configure a rule in the network layer to allow the traffic from external to your destination hosts.

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 20:31:22 GMT

I've attached photos here..
the firewall accept's the traffic, but it just doesnt go any further.

if i do a wiresharp capture on the terminal server, no traffic arrives..
but if i try to connect from an internal server to the terminal server, traffic arrives and can be seen on the wireshark capture.

Re: Port redirection not working?

skandshus — Thu, 27 May 2021 20:32:14 GMT

i think ive managed to find the issue.
as soon as i renamed the object with fewer characters it started working

After renaming the object from 17 Character to a few and pushed policy the NAT rule started working correctly
thank you for the help everyone 🙂