This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
az26
Explorer
Tuesday

Inbound NAT to a server in DMZ with GW public IP

Hi,
We have a ClusterXL that runs on R82. Can I implement an inbound NAT to a server in DMZ using a GW public IP address? The server should be accessible from the internet.

I've tried creating a NAT rule with the following parameter but unfortunately it didn't work. I can see the logs in the CP:
Original source: any
Original destination: the public IP address of the GW
Original Service: ServiceX
Translated Source: Original 
Translated destination: the server private IP address
Translated Service: Original 

Anybody knows for sure if such a NAT with a GW IP address would work? If so, what should I do to get it work?

-------------------------

## ADDITIONAL INFO:

the firewalls are setup on ClusterXL, where GW-1 has an IP address, GW-2 has another IP address, and the cluster (VIP) has its own IP. 

The Policy rule allows traffic from any source to the GW's IP address with the specific destination port.

Labels
0 Kudos
13 Replies
cyberserge
Participant
Tuesday

What's the reason for this?
Were you thinking about Layer-2 bridge mode?

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Tuesday

You can do this and it will work, as long as your Original Service isn't something the gateway reserves for itself, such as ssh, https, IKE, like that.

simonemantovani
Collaborator
Wednesday
In response to emmap

I confirm what @emmap wrote, did you try to perform a tcpdump/fw mon on the firewall to see if the connection goes through the firewall correctly and it receives replies?

az26
Explorer
yesterday
In response to simonemantovani

I just did TCPdump on the internet facing interface and the one towards the server. The traffic is passing through these 2 interfaces from the correct source to the server real IP address (the original private IP address)

0 Kudos
Martijn
Advisor
Advisor
Wednesday

Hi,

Also make sure the allow rule for this traffic is located above any stealth rule.

Martijn

Vincent_Bacher
MVP Silver
MVP Silver
Wednesday

Interesting would be to see the relevant log entry for a request to understand what happens.

You did not state whether the connection attempt is dropped or accepted and Nat not applied or whatever.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
az26
Explorer
Thursday
In response to Vincent_Bacher

Correction! the NAT rule is seen in the logs. I was mistaken the first time.

The connection is accepted. I don't think that I can see a log the NAT rule. The logs for the accepted policy rule doesn't show any NATing involved

0 Kudos
simonemantovani
Collaborator
Thursday
In response to az26

You have to see the NAT applied and also the nat rule within the logs; if there is no nat information, then the nat is not applied for some reason to the traffic.

If you want you could share configurations''s screenshot to better understand.

Just a question, did you tried to check with fw ctl zdebug + drop | grep <source ip address> ?

Vincent_Bacher
MVP Silver
MVP Silver
Thursday
In response to simonemantovani

Exactly. Without insight to the NAT rulebase it's hard to understand why NAT is not performed as expected.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
az26
Explorer
yesterday
In response to simonemantovani

Sorry! the NAT rule is seen in the logs,, i was mistaken. 

There's no drop for the source nor the destination

0 Kudos
Martijn
Advisor
Advisor
Thursday

Hi,

Is the internal server directly connected to a firewall subnet or behind an internal router? If so, is routing and anti-spoofing configured correctly?

You said you performed a tcpdump / fw monitor but it did not work. What did not work? The NATed connection or creating a tcpdump output?

The connection is accepted according to the logs. Did you verify with a tcpdump on the external interface?
You should see the traffic on the internal interface aswell.

Is there by mistake a no NAT rule at the top of the NAT rule base?

Martijn

az26
Explorer
yesterday
In response to Martijn

The L3 interface is on the Checkpoint Cluster. The server's GW is the Cluster IP (VIP).

TCPdump shows the traffic passing by from the internet facing interface (external interface) and going through the internal interface. 

The NAT rule seems to be correct. I've tried using the IP address of GW-1 and then the IP address of GW-2. 

Should I use the IP address of the cluster IP (VIP)?

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
yesterday
In response to az26

You should always use the VIP when it comes to gateway clusters, or the cluster object itself if relevant. 

If the traffic is getting to the gateway and is being NAT'd and and forwarded on to the server but then the server is not replying, then you need to investigate what the server is doing with the packets.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events