Solved: Web servers with port is not accessible from inter...

yeruel · ‎2025-01-14

Hi checkmate,

We have created rules for both NAT and Policy to be accessible from Internet for our website with ports.

It is http not https!

I created rule NAT

1. Source: any, Destination: public IP (197.156.96.168), original service :8040, destination translation: 172.20.50.107.

Policy rule

2. Source: any, destination: 197.156.96.168, service :8040

3. Server didn't have internet access.

How can I solve to accessible the web from Internet users.

yeruel · ‎2025-01-14

Hi Andy,

ARP already done before the issue raised.

By the way, it works everything after you gave us suggestion for this issue, as you said the traffic from the servers was not coming back. We checked the routing, and finally the internal Cisco firewall was the reason. So we create rule from internal Cisco firewall firewall to pass traffic from servers to checkpoint firewall. Now all websites are working.

I would like to thank you for your kind assist via zoom link.

The last remaining is the VPN client routing issue as you knew.

1. After VPN client connected, their local printing to their home is not working.

2. After VPN client connected, their own local internet is disconnected.

I hope I will try to fix it by today and handover it.

View solution in original post

Chris_Atkinson · ‎2025-01-14

Attempting access currently yields a HTTP 502 error rather than a typical unreachable / unresponsive (implying the issue could be elsewhere)?

Regardless double check:

- Hide vs Static NAT

- Translated Service

- Proxy ARP

- Routing

CCSM R77/R80/ELITE

yeruel · ‎2025-01-14

It is not reachable! Please can youb assist via zoom link.

Lesley · ‎2025-01-14

Do you see the traffic in the firewall logs?

Search for dst:197.156.96.168

If yes, open log entry and see if NAT is working.

If no, tcpdump -nni any host 197.156.96.168 on CLI (active firewall) check if you see arp request there.

who has 197.156.96.168 tell X

If FW does not reply, proxy arp is not in place.

Also cannot resolve domein.

nslookup bira.gov.et
Server: router.domain_not_set.invalid
*** router.domain_not_set.invalid can't find bira.gov.et: Non-existent domain

-------
Please press "Accept as Solution" if my post solved it 🙂

AlekzNet · ‎2025-01-14

Indeed, it's not in DNS...

$ dig @1.1.1.1 bira.gov.et

; <<>> DiG 9.20.0-2ubuntu3-Ubuntu <<>> @1.1.1.1 bira.gov.et
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24783
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bira.gov.et. IN A

;; AUTHORITY SECTION:
gov.et. 3600 IN SOA a.nic.et. postmaster.ethionet.et. 2018158642 600 1800 1209600 3600

;; Query time: 299 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jan 14 22:41:50 CET 2025
;; MSG SIZE rcvd: 102

https://dns.squish.net/

Summary
100% resulted in an error

Results
50.0% No such domain (NXDOMAIN) at a.nic.et (197.156.74.192)
50.0% No such domain (NXDOMAIN) at b.nic.et (197.156.74.193)

the_rock · ‎2025-01-14

Never knew of that command before...learn something new every day 🙂

Thanks @AlekzNet

👌👍

Best,
Andy
"Have a great day and if its not, change it"

AlekzNet · ‎2025-01-14

Yeah, dig is quite a powerful command, though, usually I still prefer nslookup, even with all those "set q=a", "set q=ns", "set server ...", etc commands 😄 For all other cases - https://dns.squish.net/

the_rock · ‎2025-01-14

Very good, thank you!!

Andy

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2025-01-14

Just to update quick, we also checked this issue via remote and even after changing the port to any, fw up_execute shows access is allowed, but still fails. NAT rule appears 100% correct and it does show almost 300 hits. Advised to run fw monitor -F to see what is happening with the packet.

Andy

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2025-01-14

@yeruel

I would double check below sk since @Chris_Atkinson mentioned proxy arp.

Andy

https://support.checkpoint.com/results/sk/sk30197

Best,
Andy
"Have a great day and if its not, change it"

yeruel · ‎2025-01-14

Hi Andy,

ARP already done before the issue raised.

By the way, it works everything after you gave us suggestion for this issue, as you said the traffic from the servers was not coming back. We checked the routing, and finally the internal Cisco firewall was the reason. So we create rule from internal Cisco firewall firewall to pass traffic from servers to checkpoint firewall. Now all websites are working.

I would like to thank you for your kind assist via zoom link.

The last remaining is the VPN client routing issue as you knew.

1. After VPN client connected, their local printing to their home is not working.

2. After VPN client connected, their own local internet is disconnected.

I hope I will try to fix it by today and handover it.

the_rock · ‎2025-01-14

Great job!! Lets do another remote early morning my time Wednesday for remote access issue, will message you then.

Andy

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

Web servers with port is not accessible from internet