Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wang
Collaborator

ISP redundancy configuration in primary/backup mode, link switching will result in NAT mapping error

Hi, engineers, I have a problem. When ISP redundancy is configured in the primary/backup mode, and I switch the link to the backup link, the NAT mapping address is still the public address of the primary link, not the public address of the backup link.When I change the Network address Hide to the Gateway and the main link to the backup link, there is no NAT mapping error.

1.png2.png3.png4.png5.png6.png

0 Kudos
4 Replies
mdjmcnally
Advisor

With ISP Redundancy then if you want it to work then all of the Hide NAT should be configured as Hide Behind Gateway.

 

I believe from your update

When I change the Network address Hide to the Gateway and the main link to the backup link, there is no NAT mapping error.

That you have specified an IP address to Hide behind when you have the issue?

This is an incorrect configuration.  If you configure the IP of the Primary Link then that setting is NOT updated by the ISP Redundancy and so will continue to NAT Traffic with the IP Configured.

ALL Hide NAT for it to work with the ISP Redundancy needs to be configured as Hide Behind Gateway in which case as you see then it will start to NAT with the Backup Link IP of the Gateway as the NAT when fail over.

http://supportcontent.checkpoint.com/documentation_download?id=12314

How to configure ISP Redundancy - Does seem to be very slow

 

 

0 Kudos
Wang
Collaborator

With ISP Redundancy then if me want it to work then all of the Hide NAT should be configured as Hide Behind Gateway。
If I manually configure static NAT, backup link NAT rules are low priority, when switching to the backup link, Intranet access external flow will not match the lower priority backup link NAT rules, but will match the high priority NAT rules, mapping out the address is the high priority NAT rules in the address, is that right?
0 Kudos
Wang
Collaborator

For example, if I manually configure the static NAT rule this way, when switching from the main link to the backup link, the address of the network accessing the external traffic map will always be the address in the first NAT rule.Is that right?

Can't static NAT be configured manually?I can only hide the Intranet address behind the gateway, is that right?

4.png

0 Kudos
mdjmcnally
Advisor

That is correct as that will be first NAT that is matched in terms of Source, Destination

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Covers how to do Static NAT using Dynamic Objects to represent the ISP.

Static NAT ALWAYS goes out over the first ISP in a Load Sharing so effectively is Primary/Backup anyway.

 

However is problematic at best and unreliable.

I would only use ISP Redundancy where not publishing Services, ie you don't need to do any Static 1:1 NAT.

If you need the resilience the better to go with an External Solution that can do the routing.

I was really hoping with R80 code that would have got rid of it as isn't reliable enough with my experience (including working with TAC)  so either needs removing or needs some actual work doing to make it work reliably.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events