topic Re: this is very urgent, need help with natting in Spark Firewall (SMB)

this is very urgent, need help with natting

kb1 — Fri, 03 Jan 2020 22:20:48 GMT

so im trying to nat traffic on my checkpoint 1100 appliance and unable to do so, no idea what mistake im making here, the ips that im using are 192.86.81.x,192.86.81.x,192.86.81.x and 192.86.81.x (4 of them), i was told that these ips should exist only on the firewall (so i created network host objects for each of these ips which im not sure of) , firewall has 2 interfaces lan5 and lan2 where the lan5 belongs to the unsecure network and the lan2 belongs to the secure network, so traffic flows into the lan5 interface from the gi0/1 interface of the router that it is connected to and is supposed (attaching a picture of a rough diagram of the network) to be natted to 10.169.x.x , 149.122.x.x, 149.122.x.x, 149.122.x.x respectively, now how do i accomplish this? i created an automatic rule for the 192.86.81.x ips where i specified the natted ips of 10.169.x.x , 149.122.x.x, etc accordingly (by double clicking the 192.86.x.x object i went into the nat part and chose static and specified the respective natted ips of 10.169.x.x , 149.122.x.x, etc) and then i published and installed the policy on the firewall, but when my co worker from the network team tries to ping say 192.86.81.x he does not receive any response, even when i try to ping these 192.86.81.x ips from the firewall itself i get no response, so what wrong am i doing here? so as you can see in the diagram above traffic is supposed to flow in from the up arrow into the router then into gi0/1 and then into lan5 of the firewall which is where its supposed to get natted and then go out out lan2 into gi0/2 of the router and upwards.

ive already configured routing and also configured the rules to allow any traffic flowing from gi0/1 into all the mentioned ips, so i know that its not because of some rule that is blocking the ping from gi0/1 of the router, since even i cannot ping the ips of 192.86.81.x from the firewall itself.

the ips of 10.169.x.x, 149.122.x.x, etc are all pingable since these are alredy up and running.

So need help urgently!!

Re: this is very urgent, need help with natting

PhoneBoy — Sat, 04 Jan 2020 02:24:52 GMT

If this is urgent you should involve the TAC.
The community does not have a specific SLA.

Are there routes for the different 10 and 149 networks on the SMB gateway?
What does a tcpdump show when you're testing the NAT?
Also we need versions of management and gateway code.

Re: this is very urgent, need help with natting

Maarten_Sjouw — Sat, 04 Jan 2020 07:55:58 GMT

To make sure the NAT is working you can type:
fw ctl arp
Also be aware that on LAN ports you cannot create a default route.
Is the route on the router setup correctly?

Re: this is very urgent, need help with natting

kb1 — Thu, 09 Jan 2020 17:58:08 GMT

so it turns out that there was a problem with the router configuration for the return traffic, upon asking the networking team about it i was told that there was no issues however upon doing a traceroute it was clear that there was a problem with the routing for the return traffic on a router, so eventually they did check it out properly and remade the routing for the router and everything is working fine now, thanks for replying anyways.