This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kingdavid_akubu
Participant
‎2018-10-14 03:07 AM
Jump to solution

NAT Issues

Dear Checkmates, I did static NAT and the required policy to reach a web server in my Network but i still cant reach the webserver.

I ran a zedebug command and the following popped up:

"dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT"

Please How can i fix this?

1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2018-10-14 04:33 AM
Jump to solution

I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Solution:

The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.

Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.

Alternately, this issue should only be possible when using Application Control Whitelist.

See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist

For more informations see SK:

Application Control/URL Filtering drops traffic from internal web server 

The following SK is also possible:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings" error in Internet Explorer browser for ... 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

3 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2018-10-14 04:33 AM
Jump to solution

I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Solution:

The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.

Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.

Alternately, this issue should only be possible when using Application Control Whitelist.

See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist

For more informations see SK:

Application Control/URL Filtering drops traffic from internal web server 

The following SK is also possible:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings" error in Internet Explorer browser for ... 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
kingdavid_akubu
Participant
‎2018-10-14 04:41 AM
In response to HeikoAnkenbrand
Jump to solution

Hi Heiko,

Will Implement this and give you feedback.

Thanks and Best Regards.

kingdavid_akubu
Participant
‎2018-10-18 10:59 AM
In response to HeikoAnkenbrand
Jump to solution

Hello Heiko,

The issue has been resolved. 

Thank you so much.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events