topic Re: NAT problem in General Topics

NAT problem

Phoenix — Sat, 06 Apr 2024 11:27:09 GMT

Hi.

I have two 3000 checkpoint firewall and two sites

Site A
LAN site A is 192.168.1.0/24 and default gateway is 192.168.1.254 with a interface on Checkpoint.
With the following
IPv4 static route 10.20.20.0/24 to 192.168.1.1

Its IPVPN so they both sides are Trunked on Cisco switch
Cisco switch does not have any IP route

Site B
LAN site B is 10.20.20.0/24 and default gateway 10.20.20.254 same config
With the following
IPv4 static route 192.168.1.0 to 10.20.20.1

I`m able to ping each default-gateway and the gateway of each jump.
But when I try to ping a client 10.20.20.x to 192.168.1.x they cant reach each other unless I create a route print.

I have tried several NAT configuration but not really sure what would be the right on on each side.

Thanks,

Re: NAT problem

_Val_ — Sun, 07 Apr 2024 13:23:27 GMT

Please provide a diagram and mention versions in use

Re: NAT problem

the_rock — Sun, 07 Apr 2024 14:53:41 GMT

I second what Val said. If you send us basic diagram (paint would do as well), it would give us better idea, so we can help you more.

Best,

Andy

Re: NAT problem

Phoenix — Mon, 08 Apr 2024 08:30:02 GMT

R81.20 and R80.30

Re: NAT problem

emmap — Mon, 08 Apr 2024 08:48:46 GMT

Check your logs, I bet you'll see lots of out-of-state drops. If you do, the issue is asymmetric routing. Your C2S packets go from the client to their local gateway and over to the server via the Cisco devices, then the S2C packet goes to the server local gateway that never saw the C2S packet, hence doesn't have the connection in its tables and is dropping it.

If that's the case, I suggest that the IPVPN be moved to dedicated interfaces/subnets rather than sharing the client subnet, so all packets must traverse both gateways in both directions.

Re: NAT problem

Phoenix — Mon, 08 Apr 2024 09:07:21 GMT

Forget the IPVPN, that was my mistake. its just Layer 3 Routing, Im able to ping when i do static route on the computers on each side. I dont see any drop of packets i can see when i ping each side of the firewalls

Re: NAT problem

Phoenix — Mon, 08 Apr 2024 10:55:56 GMT

Dont wanna change the LAYER 3 routing, is there a way for me to do this simple? I cant have static routes on every hosts.

Re: NAT problem

the_rock — Mon, 08 Apr 2024 11:07:38 GMT

I have a suggestion...run ip r g command when it works and when it does not and compare.

if dst is 10.10.10.10, just run from expert ip r g 10.10.10.10

Andy

Re: NAT problem

Phoenix — Mon, 08 Apr 2024 12:15:41 GMT

I should work with the right NAT configuration right?

Re: NAT problem

the_rock — Mon, 08 Apr 2024 12:19:29 GMT

Thats always been key IT word...SHOULD lol. Yes, it should work, agree, but if it does not, maybe if you can send how you configure the NAT, we can verify.

Andy

Re: NAT problem

Phoenix — Mon, 08 Apr 2024 13:01:32 GMT

Site A

src. dst. trans-src. trans-dst.
192.168.1.0/24 10.20.20.0/24 Original 10.20.20.254 - static
10.20.20.0/24 192.168.1.0/24 10.20.20.254-static Original

Site B
sr. dst. trans-src trans-dst
10.20.20.0/24 192.186.1.0/24 Orginal 192.168.1.254 - static
192.168.1.0/24 10.20.20.0/24 192.168.1.254-static Orignal

Re: NAT problem

the_rock — Tue, 09 Apr 2024 02:17:49 GMT

Just to give quick update on this, @Phoenix and I did remote session today and I am also fairly sure something with nat rule is missing here, so once thats sorted out, Im positive it will work.

Let me know when you are free Tuesday and we can do another zoom.

Best,

Andy

Re: NAT problem

Phoenix — Tue, 09 Apr 2024 12:02:19 GMT

Unable to do that right now, whats the best workaround?

Re: NAT problem

the_rock — Tue, 09 Apr 2024 13:28:50 GMT

Ah, ok, I see what we missed yesterday, good job!

Andy

Re: NAT problem

emmap — Tue, 09 Apr 2024 15:02:11 GMT

You can potentially kludge it by configuring on the site A gateway a hideNAT for site A subnet behind the site A gateway for traffic to site B and vice-versa.

Re: NAT problem

the_rock — Tue, 09 Apr 2024 16:01:50 GMT

That may work.