This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Krishna
Participant
‎2019-06-17 09:09 AM

The NAT issue on CP firewall deployed in the Azure

We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.

The FW1 is a cluster and has two gateways in it. IP of gateway 1 is 10.10.10.4, IP of gateway 2 is 10.10.10.5 and IP of Cluster is 10.10.10.6. Gateway 1 is active

The tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.

We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.

The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2

In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from 10.10.10.4 to 10.10.10.6 the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1

[vs_0][fw_0] eth0:o[180]: X.X.X.X -> 10.10.10.6 (UDP) len=180 id=20396
UDP: 500 -> 500
[vs_0][fw_0] eth0:o[180]: 10.10.10.4 -> X.X.X.X (UDP) len=180 id=10087
UDP: 500 -> 500
[vs_0][fw_0] eth0:O[180]: 10.10.10.6 -> X.X.X.X (UDP) len=180 id=10087
UDP: 12410 -> 500

 

 

Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-06-17 09:39 PM

Curious what evidence you have to suggest this change of port is causing the issue?
What do logs or VPN debugs say?
0 Kudos
Krishna
Participant
‎2019-06-17 10:40 PM
In response to PhoneBoy

The Phase 1 packets for the tunnel is exchanged between ports 500 or 4500 on both the ends, as the port is getting changed the other than these two , other end firewall will ignore/ drop the phase 1 traffic.
0 Kudos
Krishna
Participant
‎2019-07-15 02:56 AM

The issue got resolved after no NAT rule is created for the cluster IP. Below is the no NAT rule added.

Original Source: Cluster IP.
Original Destination : Any
Original port: IKE

Translated Source: Cluster IP
Translated destination : Original
Translated Port : Original
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events