This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Phoenix
Participant
‎2024-04-06 04:27 AM
Jump to solution

NAT problem

Hi.

I have two 3000 checkpoint firewall and two sites

Site A
LAN site A is 192.168.1.0/24 and default gateway is 192.168.1.254  with a interface on Checkpoint.
With the following 
IPv4 static route 10.20.20.0/24 to 192.168.1.1

Its IPVPN so they both sides are Trunked on Cisco switch
Cisco switch does not have any IP route

Site B
LAN site B is 10.20.20.0/24 and default gateway 10.20.20.254 same config
With the following 
IPv4 static route 192.168.1.0 to 10.20.20.1

I`m able to ping each default-gateway and the gateway of each jump. 
But when I try to ping a client 10.20.20.x to 192.168.1.x they cant reach each other unless I create a route print.

I have tried several NAT configuration but not really sure what would be the right on on each side.

Thanks,

 
0 Kudos
1 Solution

Accepted Solutions
Phoenix
Participant
‎2024-04-08 06:01 AM
In response to the_rock
Jump to solution

Site A

src.                                 dst.                               trans-src.                       trans-dst.
192.168.1.0/24        10.20.20.0/24                    Original                      10.20.20.254 - static
10.20.20.0/24          192.168.1.0/24                10.20.20.254-static             Original


Site B
sr.                               dst.                           trans-src                       trans-dst
10.20.20.0/24 192.186.1.0/24                      Orginal              192.168.1.254 - static
192.168.1.0/24 10.20.20.0/24              192.168.1.254-static              Orignal

View solution in original post

15 Replies
_Val_
Admin
Admin
‎2024-04-07 06:23 AM
Jump to solution

Please provide a diagram and mention versions in use

0 Kudos
Phoenix
Participant
‎2024-04-08 01:30 AM
In response to _Val_
Jump to solution

R81.20 and R80.30 

diagram.PNG

 

0 Kudos
emmap
Employee
Employee
‎2024-04-08 01:48 AM
In response to Phoenix
Jump to solution

Check your logs, I bet you'll see lots of out-of-state drops. If you do, the issue is asymmetric routing. Your C2S packets go from the client to their local gateway and over to the server via the Cisco devices, then the S2C packet goes to the server local gateway that never saw the C2S packet, hence doesn't have the connection in its tables and is dropping it. 

If that's the case, I suggest that the IPVPN be moved to dedicated interfaces/subnets rather than sharing the client subnet, so all packets must traverse both gateways in both directions.

0 Kudos
Phoenix
Participant
‎2024-04-08 02:04 AM
In response to emmap
Jump to solution

Forget the IPVPN, that was my mistake. its just Layer 3 Routing, Im able to ping when i do static route on the computers on each side. I dont see any drop of packets i can see when i ping each side of the firewalls

 

0 Kudos
Phoenix
Participant
‎2024-04-08 03:55 AM
In response to emmap
Jump to solution

Dont wanna change the LAYER 3 routing, is there a way for me to do this simple? I cant have static routes on every hosts.

 

0 Kudos
the_rock
Legend
Legend
‎2024-04-08 04:07 AM
In response to Phoenix
Jump to solution

I have a suggestion...run ip r g command when it works and when it does not and compare.

if dst is 10.10.10.10, just run from expert ip r g 10.10.10.10

Andy

0 Kudos
Phoenix
Participant
‎2024-04-08 05:15 AM
In response to the_rock
Jump to solution

I should work with the right NAT configuration right?

0 Kudos
the_rock
Legend
Legend
‎2024-04-08 05:19 AM
In response to Phoenix
Jump to solution

Thats always been key IT word...SHOULD lol. Yes, it should work, agree, but if it does not, maybe if you can send how you configure the NAT, we can verify.

Andy

0 Kudos
Phoenix
Participant
‎2024-04-08 06:01 AM
In response to the_rock
Jump to solution

Site A

src.                                 dst.                               trans-src.                       trans-dst.
192.168.1.0/24        10.20.20.0/24                    Original                      10.20.20.254 - static
10.20.20.0/24          192.168.1.0/24                10.20.20.254-static             Original


Site B
sr.                               dst.                           trans-src                       trans-dst
10.20.20.0/24 192.186.1.0/24                      Orginal              192.168.1.254 - static
192.168.1.0/24 10.20.20.0/24              192.168.1.254-static              Orignal

the_rock
Legend
Legend
‎2024-04-09 06:28 AM
In response to Phoenix
Jump to solution

Ah, ok, I see what we missed yesterday, good job!

Andy

0 Kudos
Phoenix
Participant
‎2024-04-09 05:02 AM
In response to emmap
Jump to solution

Unable to do that right now, whats the best workaround?

0 Kudos
emmap
Employee
Employee
‎2024-04-09 08:02 AM
In response to Phoenix
Jump to solution

You can potentially kludge it by  configuring on the site A gateway a hideNAT for site A subnet behind the site A gateway for traffic to site B and vice-versa. 

the_rock
Legend
Legend
‎2024-04-09 09:01 AM
In response to emmap
Jump to solution

That may work.

0 Kudos
the_rock
Legend
Legend
‎2024-04-07 07:53 AM
Jump to solution

I second what Val said. If you send us basic diagram (paint would do as well), it would give us better idea, so we can help you more.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-04-08 07:17 PM
Jump to solution

Just to give quick update on this, @Phoenix and I did remote session today and I am also fairly sure something with nat rule is missing here, so once thats sorted out, Im positive it will work.

Let me know when you are free Tuesday and we can do another zoom.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events