This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mcmib
Explorer
‎2024-04-18 07:11 PM

CCSE Lab R81.20

Hi Bro,

 

I’m in the process of constructing a CCES Lab R81.20 and have encountered an unusual issue that has been perplexing me for the past two weeks.

According to the experimental topology, the eth1 port of a firewall, designated as A-GW, is linked to the eth0 port of a router named Border-Router. The router’s eth1 port provides a connection to the internet. The IP address assigned to A-GW’s eth1 port is 203.0.113.1, while Border-Router’s eth0 port is configured with the IP address 203.0.113.254.

At present, A-GW is able to ping Border-Router’s eth0 port successfully. However, it is unable to ping the IP address 8.8.8.8 or establish any internet connectivity. Interestingly, PCs within the same network segment have no issues accessing the internet. Oddly enough, altering A-GW and Border-Router's IP address to a different network segment, such as 10.10.10.0/24 or 203.0.140.0/24, without modifying any other settings, suddenly enables internet access for the firewall.

Could you suggest what might be causing this issue?

 

Thank you so much!

Labels
0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2024-04-19 07:08 AM

For my ATC lab setups I just use Vyatta as the Border-Router which is very simple to set up with some static routing & masquerade NAT to permit Internet access.  Run a packet capture on the external interface of Border-Router, are the pings sent by the gateway actually leaving the outside interface of Border-Router?  (probably) Are they NATted correctly? (probably not)  For successful pings initiated from behind A-GW what NAT address are those networks hiding behind?  What happens if you hide them behind the gateway's 203.0.113.1 address instead? 

My guess is that you have left the Install On field of your NAT rules at "Any" and not confined them to a single gateway, and both A-GW and Border-Router are attempting to execute each other's NAT rules inappropriately.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
(1)
mcmib
Explorer
‎2024-04-19 10:22 AM
In response to Timothy_Hall

Hello Timothy_Hall,

 

Thank you so much for your advice.

 

The issue has been resolved after deleting a NAT policy that generated automatically. 

 

Have a great weekend!

 

Thanks again! 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events