topic Re: NAT with two ISP lines in General Topics

NAT with two ISP lines

madu1 — Mon, 15 Jul 2024 10:35:51 GMT

I've just added a new/second ISP line to my gateway and made this my primary ISP line. ISP Redundancy is configured.

LAN traffic to the Internet leaves via the default gateway of ISP line 1 - the new line. All good.

I still have a load of servers with static NAT on what is now the secondary ISP line. These no longer work. Tcpdump shows traffic arriving from the Internet via ISP line 2, but return traffic routes out via the default gateway on ISP 1. Asymmetric routing...

How do I get this traffic to return via the interface it arrived on - back via ISP 2?

I've got other gateways with the same dual ISP configuration, and they work fine. Return traffic goes back out via the interface from which it arrived. But not this gateway. Any ideas why not and how to fix it?

Re: NAT with two ISP lines

Chris_Atkinson — Mon, 15 Jul 2024 12:17:19 GMT

Are all the gateways on a common version & JHF level?

Re: NAT with two ISP lines

madu1 — Mon, 15 Jul 2024 12:20:24 GMT

Hi Chris,

Yeah, R81.20 Take 26 (cluster).

Re: NAT with two ISP lines

the_rock — Mon, 15 Jul 2024 12:48:58 GMT

Do you have simple diagram?

Andy

Re: NAT with two ISP lines

PhoneBoy — Mon, 15 Jul 2024 20:38:42 GMT

So they're all Check Point gateways and one set of them is having an issue?

Re: NAT with two ISP lines

Lesley — Mon, 15 Jul 2024 20:43:25 GMT

This will give guidance I suspect:

https://support.checkpoint.com/results/sk/sk25152

Re: NAT with two ISP lines

madu1 — Tue, 16 Jul 2024 07:19:41 GMT

I think just ignore the line where I said I have other gateways... I was simply saying here to compare to other cases with dual ISP where I can still access the NAT address on the second/standby line with no problem - but it's not working on this particular gateway.

This of this case evolution as:

I have a single gateway with a single ISP line. (ISP-A)
Static NAT assigned to an internal host - from the ISP-A subnet.
Then I add an additional ISP line - ISP-B.
I make ISP-B the "primary" Internet circuit and change the Default Gateway on the firewall to use ISP-B.
I configure ISP Redundancy in HA mode, with ISP-B at the top of the list.
Once I do that, people on the Internet can no longer access the server via the NAT on ISP-A. Tcpdump shows traffic coming in on the ISP-A interface, getting to the internal host, but then returning via ISP-B and the connection doesn't work.
SYN in through one interface... SYN-ACK back via a different interface. Asymmetric routing.

So my question was how can I keep things working when it has a static NAT on the other ISP line?

Or in other words - how can I make inbound traffic arriving on the ISP-A interface also return out of the ISP-A interface so I don't get asymmetric routing?

Re: NAT with two ISP lines

madu1 — Tue, 16 Jul 2024 07:31:58 GMT

Thanks @Lesley. This seems interesting but I suspect it isn't what I need. I think my issue relates to getting return/reply traffic back out of the interface it arrived at. My interpretation of that SK is for packets initiated from the LAN outbound. In my case packets are initiated from the Internet inbound, which arrive fine, but the reply traffic leaves from a different interface.

So SYN comes into ISP-A on eth0, but the SYN-ACK leaves via eth1 (the new ISP line, and new Default Gateway). How do I get the SYN-ACK to return via eth0 instead, to avoid asymmetric routing?

I'm assuming that's my issue here because once the default gateway is set to ISP-B, none of the NAT's on ISP-A work any more. If I add a static route to my Internet test machine via ISP-A then I can access everything normally again. So it seems stateful reply traffic is following the routing table and breaking the connections. While ISP-B is default, I simply need a way to still be able to access NAT's on ISP-A.

Maybe if I hide NAT behind the ISP-A interface IP on the way in that would work? It's horribly messy, but worth a try.

Re: NAT with two ISP lines

Lesley — Tue, 16 Jul 2024 13:02:57 GMT

Hmmm could it be it is because the setup is in HA mode? Instead of 50/50?

Maybe check this out, many tips there to verify:

https://support.checkpoint.com/results/sk/sk61692

If you are running load-sharing:

https://support.checkpoint.com/results/sk/sk34812

Hide NAT should be configured. Every connection without Hide Address Translation will not be included in the ISP Redundancy routing and go through the default primary gateway.

Re: NAT with two ISP lines

CheckPointerXL — Sun, 28 Jul 2024 12:39:04 GMT

Did you try to configure a PBR for the internal host natted on isp A?

Re: NAT with two ISP lines

madu1 — Thu, 08 Aug 2024 08:36:51 GMT

So the answer turned out to be easy, and was completely my error.

It requires correct ISP Redundancy config. I'd forgotten to put the new ISP line into ISP Redundancy, so the firewall had no route out of that new interface, hence just resorting to the default route out of the wrong interface. Once this was entered everything immediately worked 🙂

Re: NAT with two ISP lines

the_rock — Thu, 08 Aug 2024 11:51:35 GMT

Good job @madu1