topic Re: NAT rules for DMZ object in Spark Firewall (SMB)

NAT rules for DMZ object

DekPlent — Wed, 02 Feb 2022 23:50:15 GMT

Hi All,

Whilst deploying pair of Checkpoint 1590 Appliances running R80.20 I noticed some strange behaviour which I have been unable to resolve

I am succesfully able to NAt source IPs for remote VPN sources for inbound traffic passing through to internal networks, as well as internal objects destined for remote IPSEC VPN networks but am struggling to NAT a network object defined in the DMZ leg heading inbound to internal networks. Something which I was able to do with R71 without any issue.

DMZ 192.168.230.x LAN7 172.17.x.x

----------------------- CHECKPOINT 1590 --------------------JUNIPER---- Router----172.22.x.x

So basically I'd like to NAT an object with has an IP of 192.168.230.20 to SNAT 192.168.230.10 when communicating hosts in 172.22

SO I have a manual NAT rule which does exactly that for 172.22.x.x destination . However, what ever I do , the traffic is not NATed if I tcpdump the LAN7 interface. I still see the traffic leave as 192.168.230.20 and not 192.168.230.10.

Additionally if I try to either hide behind the internet interface for outbound traffic with the option to SNAT behind internet Gateway or set a manual NAT for internet access, again this object's source IP is not NAT'ed. SO I was wondering are there any implicit rules or functions that treat traffic on the inbuilt predefined DMZ interface differently perhaps?

I have successfully managed to configure traffic from the internal 172.22.x.x to SNAT behind an IP on the LAN7 range en route to a remote host VPN ...

Is there something simple here that I am missing, are objects in the DMZ managed differently?

For completeness, I will try moving the 192.168.230.0/24 network to a normal LAN port when in the office again tomorrow

Thanks again for your assistance

regards

Dek

Re: NAT rules for DMZ object

Chris_Atkinson — Thu, 03 Feb 2022 01:20:45 GMT

Is this R80.20.35 build 2577 or other version and is it centrally managed?

Re: NAT rules for DMZ object

the_rock — Thu, 03 Feb 2022 01:27:00 GMT

From my knowledge, I don't believe nat rules for DMZ would be any different. If this is centrally managed appliance, you would do it same way in dashboard as before, however, if it is locally managed, its possible it would be a bit different, so you may want to confirm that with TAC smb team. Just curious though, if it is locally managed, what does nat rule you created look like...can you paste the screenshot here?

Andy

Re: NAT rules for DMZ object

DekPlent — Thu, 03 Feb 2022 08:53:42 GMT

Hi Chris,

It is locally managed and is build 2467. There is a story there too.. One of the two appliances wanted to go to 2577 and the other one would only see 2467 as the latest build when checking for updates. At the time also, I could only download 2467 as the latest build and so I could not manually upgrade the unit to 2577.

Re: NAT rules for DMZ object

DekPlent — Thu, 03 Feb 2022 17:42:48 GMT

Hi Andy,

I got into the office to find that there was a power outage at the site... Both 1590s are up and NOW the natting is working and there has been no change, which is highly unsatisfactory not knowing why it is now working.

I may add another host to see what happens when trying to SNAT again. Thanks for your time and Chris, sorry I have not been able to provide any more insight.

Regards

Dek

Re: NAT rules for DMZ object

DekPlent — Thu, 03 Feb 2022 23:18:39 GMT

Hi Chris, I may try build 2577. Are you using this currently?

Re: NAT rules for DMZ object

the_rock — Thu, 03 Feb 2022 23:56:40 GMT

All good brother...glad it's fixed!