topic Re: Inbound NAT using FQDN in header rather than the IP? in General Topics

Inbound NAT using FQDN in header rather than the IP?

RCCO — Wed, 10 Mar 2021 16:40:13 GMT

Hi,

I have a load balanced set of Exchange servers in my network. I have a manual NAT on the perimeter cluster to publish just one of the servers to the internet. (I had to use this method, and a proxy ARP, otherwise something else broke in the traffic path when between the servers and another network - long story)

We currently have a need to only NAT to Server#1 and NOT the load balancer IP, but this is used internally. We seem to be getting inbound, external SSL traffic flows to the LB and not Server#1 despite the Firewall logs clearly showing that the traffic was being natted to Server#1.

Internal DNS for mail.company.com uses the LB address and an NSlookup on the FWs resolves mail.company.com to the LB address.

Is there any way that incoming SSL traffic would be looked-up by the FW and sent to the LB, rather than just following the NAT?

What role is DNS playing in this? if any?

Thanks for your help.

Re: Inbound NAT using FQDN in header rather than the IP?

_Val_ — Wed, 10 Mar 2021 20:51:57 GMT

Not possible at the moment. If it si critical, open an RFE, or contact your local office

Re: Inbound NAT using FQDN in header rather than the IP?

PhoneBoy — Thu, 11 Mar 2021 20:05:27 GMT

NAT is based on IP not DNS.
There is a little-known DNS NAT feature, but it’s not clear if it’s relevant in this case: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34295&partition=Basic&product=Quantum

Re: Inbound NAT using FQDN in header rather than the IP?

Vincent_Bacher — Thu, 11 Mar 2021 20:31:26 GMT

Don't know if I got you correctly. If not, I am sorry.

When you want the gateway to resolve the real ip of the server, what's about using /etc/hosts?

hostname> set host name HOSTNAME ipv4-address

hostname> save config

Don't know if that works but I'd try in case of no of the mates replies that I am writing nonsense 🙂

Re: Inbound NAT using FQDN in header rather than the IP?

RCCO — Fri, 12 Mar 2021 07:55:00 GMT

Thanks for your help everyone. It turns out that the problem was one of the Exchange servers bouncing the request back upwards to the Load Balancers and then onwards to the other servers. So the network was being blamed for nothing and 2 days of my life were wasted while proving this....