Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kingdavid_akubu
Participant
Jump to solution

NAT Issues

Dear Checkmates, I did static NAT and the required policy to reach a web server in my Network but i still cant reach the webserver.

I ran a zedebug command and the following popped up:

"dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT"

Please How can i fix this?

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Solution:

The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.

Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.

Alternately, this issue should only be possible when using Application Control Whitelist.

See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist

For more informations see SK:

Application Control/URL Filtering drops traffic from internal web server 

The following SK is also possible:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings" error in Internet Explorer browser for ... 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

3 Replies
HeikoAnkenbrand
Champion Champion
Champion

I think it is not an NAT issue. It is a PSL issue in combination with NAT. Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Solution:

The following workaround is available:
Create a new host object that uses the Static NAT address as the main address and use it in the rulebase.

Do not configure any interface topologies which overlap if any of the overlapping interfaces have "Interface leads to DMZ" checked.

Alternately, this issue should only be possible when using Application Control Whitelist.

See sk112249 - Best Practices - Application Control, section regarding Blacklist VS Whitelist

For more informations see SK:

Application Control/URL Filtering drops traffic from internal web server 

The following SK is also possible:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings" error in Internet Explorer browser for ... 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
kingdavid_akubu
Participant

Hi Heiko,

Will Implement this and give you feedback.

Thanks and Best Regards.

kingdavid_akubu
Participant

Hello Heiko,

The issue has been resolved. 

Thank you so much.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events