topic Re: Hide NAT of the FW external IP in VSX configuration in Firewall and Security Management

Hide NAT of the FW external IP in VSX configuration

redcrow — Fri, 20 Mar 2020 08:23:05 GMT

Hello,

is auto hide NAT possible for the FW IP (external interface of course) in VSX configuration?

Specifically, we have an Edge Firewall (Virtual System) with two interfaces (internal and external). Both interfaces are directly connected to a border router (Cisco 6800).

[Expert@lntfw-pgtw2:4]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.196.0 0.0.0.0 255.255.255.240 U 0 0 0 bond2.997
192.168.196.16 0.0.0.0 255.255.255.240 U 0 0 0 bond2.998
10.100.98.0 0.0.0.0 255.255.255.0 UD 0 0 0 bond2.998
10.100.97.0 0.0.0.0 255.255.255.0 UD 0 0 0 bond2.997
x.x.0.0 10.100.97.1 255.255.0.0 UGD 0 0 0 bond2.997
0.0.0.0 10.100.98.1 0.0.0.0 UGD 0 0 0 bond2.998

Since the external interface has a private IP (10.100.98.101), the VS can't go to the Internet. So, I'd like to add a hide NAT (with one of our public IPs) to the 10.100.98.101 IP address. I already tried these two methods:

- Created an object with IP 10.100.98.101 and set the option "NAT --> Add automatic address translation rules --> Hide behind IP address" (with public IP).

- Created an object with IP 10.100.98.101 (let's call it Priv) and another object with public IP (let's call Pub). Then I added the object Priv in "Original Source" and the object Pub in "Translated Source".

Unfortunately, I didn't have success... both methods didn't work. Tcpdump shows always 10.100.98.101 as source if I try to ping or telnet some destination. So, since I read here this mechanism is feasible, I'm worndering if that is the same in VSX environments...

Thanks,
Francesco

Re: Hide NAT of the FW external IP in VSX configuration

ias_gc-dk — Fri, 20 Mar 2020 09:16:09 GMT

I would just create a NAT rule that has a group with all the addresses/nets you want to hide-nat as original source. Original destination would be any. Translated source would then be an object with your selected public address with method Hide. Place it at below all you other more specific NAT-rules.

Re: Hide NAT of the FW external IP in VSX configuration

redcrow — Fri, 20 Mar 2020 11:36:22 GMT

That was exactly the second method I tried. Please see the following images (tried again towards a single Public IP as destination for a test):

The object FW-Frontiera_10.100.98.101-External is a host containing the private IP 10.100.98.101 of the external interface.
The object Public_IP_Test is just a public IP to test the NAT (162.241.216.197)
The object FW-Frontiera_NAT-External is a host containing one of our enterprise Public IPs

As you can see, the source IP remains 10.100.98.101...

Re: Hide NAT of the FW external IP in VSX configuration

ias_gc-dk — Fri, 20 Mar 2020 11:42:56 GMT

What if you tried with the VS-object for Original Source, instead of an object containing just the external ip?

Re: Hide NAT of the FW external IP in VSX configuration

redcrow — Fri, 20 Mar 2020 11:54:38 GMT

Already tried:

but...

Gateway: lntfw-pVSX1_Frontiera
Policy: Frontiera
Status: Failed
- Invalid Object 'lntfw-pVSX1_Frontiera' in Original Source of Address Translation Rule 1. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.
--------------------------------------------------------------------------------

Re: Hide NAT of the FW external IP in VSX configuration

ias_gc-dk — Fri, 20 Mar 2020 12:45:06 GMT

hmm.. never had to do NAT for traffic from the firewall itself, so I have not run into this before. Is this how it is supposed to be in production?

Don't you have a host behind the firewall you can test from?

Re: Hide NAT of the FW external IP in VSX configuration

redcrow — Fri, 20 Mar 2020 13:31:48 GMT

Yes, a test host works well. Please see the example below (before and after the NAT )

Re: Hide NAT of the FW external IP in VSX configuration

redcrow — Sun, 22 Mar 2020 18:17:19 GMT

Any other ideas?

Thanks,
Francesco

Re: Hide NAT of the FW external IP in VSX configuration

Maarten_Sjouw — Sun, 22 Mar 2020 21:42:13 GMT

What I'm missing here is the version you are running. Your second methos should work just fine, should not matter if it is VSX or not. What you should check though, after installing the policy, is if the NAT is showing a proxy arp for the IP by issueing in the VS context: fw ctl arp
Another small thingy, double check the Install on column, it shows a name there...

Re: Hide NAT of the FW external IP in VSX configuration

funkylicious — Mon, 23 Mar 2020 06:11:17 GMT

Hi,

Just a dumb question but, is there an ACL for the traffic to be permitted ? I mean the 443 traffic and not the ICMP.

Re: Hide NAT of the FW external IP in VSX configuration

redcrow — Mon, 23 Mar 2020 07:46:01 GMT

@Maarten_Sjouw: the VSX/Gateway version is 80.20, while the Server Management is running version 80.30.

After the installation, the command outputs "No Proxy ARP entries"

The "Install On" is set to the correct VS.

@funkylicious: I've just added an explicit rule as you suggested, but that traffic, I think, should be ensured by Implied Rules... anyway, nothing changed; please see the telnet/tcpdump screenshot above.

Re: Hide NAT of the FW external IP in VSX configuration

Maarten_Sjouw — Mon, 23 Mar 2020 07:51:48 GMT

Just a other question, why do you need the NAT from the VS itself? Normally all updates etc are done from VS0, so if you need anything to be able to go to the internet it would be VS0 not the VS itself.

Re: Hide NAT of the FW external IP in VSX configuration

redcrow — Mon, 23 Mar 2020 07:56:24 GMT

Since I'd like to enable advanced functionalities, for instance:

https://community.checkpoint.com/t5/VSX/Blocking-malicious-IP-addresses-sk103154-in-VSX/m-p/78768#M533

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193

Re: Hide NAT of the FW external IP in VSX configuration

Maarten_Sjouw — Mon, 23 Mar 2020 07:57:53 GMT

Then I would suggest opening a case with TAC