SSL VPN WITH STATICALLY NATED IP

siddu099

Dear Team,

I am trying to configure SSL VPN on the Check Point gateway using a statically NATed public IP, but I am unable to access the SSL VPN portal page.

The external interface (eth0) is configured with IP 18.19.20.1/28. Since this IP cannot be used directly for SSL VPN, I have selected another available IP from the same subnet (18.19.20.5) and configured static NAT for it.

However, I am still unable to reach the SSL VPN page using the NATed IP.

Could you please suggest what additional checks or configurations need to be verified from my end?

Thanks

Siddu

Martijn

Hi,

Did you configure proxy ARP for the new static NAT IP?

What does the log show? Can you show us what you have configured?
Have you performed a check with 'fw monitor' or 'tcpdump' to see what is going on?

Martijn

siddu099

Hi Martijn,

we added the proxy arp

tcpdump -i eth0 host 45.18.30.4 and port 443 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:39:21.042432 IP 45.18.30.4.10436 > 18.19.20.5.443: Flags [SEW], seq 3679793726, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:21.049128 IP 45.18.30.4.10437 > 18.19.20.5.443: Flags [SEW], seq 116248886, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:21.295609 IP 45.18.30.4.10438 > 18.19.20.5.443: Flags [SEW], seq 3623247912, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:24.042378 IP 45.18.30.4.10436 > 18.19.20.5.443: Flags [SEW], seq 3679793726, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:24.048657 IP 45.18.30.4.10437 > 18.19.20.5.443: Flags [SEW], seq 116248886, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:24.295722 IP 45.18.30.4.10438 > 18.19.20.5.443: Flags [SEW], seq 3623247912, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:30.041656 IP 45.18.30.4.10436 > 18.19.20.5.443: Flags [S], seq 3679793726, win 8192, options [mss 1460,nop,nop,sackOK], length 0
11:39:30.048135 IP 45.18.30.4.10437 > 18.19.20.5.443: Flags [S], seq 116248886, win 8192, options [mss 1460,nop,nop,sackOK], length 0
11:39:30.295105 IP 45.18.30.4.10438 > 18.19.20.5.443: Flags [S], seq 3623247912, win 8192, options [mss 1460,nop,nop,sackOK], length 0
11:39:39.322900 IP 45.18.30.4.10439 > 18.19.20.5.443: Flags [SEW], seq 372606881, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:39.552212 IP 45.18.30.4.10440 > 18.19.20.5.443: Flags [SEW], seq 1330313550, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:42.322018 IP 45.18.30.4.10439 > 18.19.20.5.443: Flags [SEW], seq 372606881, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:42.552395 IP 45.18.30.4.10440 > 18.19.20.5.443: Flags [SEW], seq 1330313550, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:39:48.322244 IP 45.18.30.4.10439 > 18.19.20.5.443: Flags [S], seq 372606881, win 8192, options [mss 1460,nop,nop,sackOK], length 0
11:39:48.553833 IP 45.18.30.4.10440 > 18.19.20.5.443: Flags [S], seq 1330313550, win 8192, options [mss 1460,nop,nop,sackOK], length 0

Martijn

So the traffic is reaching the gateway.

What do you see in the Check Point logs? Any drops?

What is your NAT configuration? Can you share a screenshot?
Do you see NAT is applied in the logs?

Martijn

Are you a member of CheckMates?

SSL VPN WITH STATICALLY NATED IP