Solved: NAT problem

Phoenix · ‎2024-04-06

Hi.

I have two 3000 checkpoint firewall and two sites

Site A
LAN site A is 192.168.1.0/24 and default gateway is 192.168.1.254 with a interface on Checkpoint.
With the following
IPv4 static route 10.20.20.0/24 to 192.168.1.1

Its IPVPN so they both sides are Trunked on Cisco switch
Cisco switch does not have any IP route

Site B
LAN site B is 10.20.20.0/24 and default gateway 10.20.20.254 same config
With the following
IPv4 static route 192.168.1.0 to 10.20.20.1

I`m able to ping each default-gateway and the gateway of each jump.
But when I try to ping a client 10.20.20.x to 192.168.1.x they cant reach each other unless I create a route print.

I have tried several NAT configuration but not really sure what would be the right on on each side.

Thanks,

Phoenix · ‎2024-04-08

Site A

src. dst. trans-src. trans-dst.
192.168.1.0/24 10.20.20.0/24 Original 10.20.20.254 - static
10.20.20.0/24 192.168.1.0/24 10.20.20.254-static Original

Site B
sr. dst. trans-src trans-dst
10.20.20.0/24 192.186.1.0/24 Orginal 192.168.1.254 - static
192.168.1.0/24 10.20.20.0/24 192.168.1.254-static Orignal

View solution in original post

_Val_ · ‎2024-04-07

Please provide a diagram and mention versions in use

Phoenix · ‎2024-04-08

R81.20 and R80.30

emmap · ‎2024-04-08

Check your logs, I bet you'll see lots of out-of-state drops. If you do, the issue is asymmetric routing. Your C2S packets go from the client to their local gateway and over to the server via the Cisco devices, then the S2C packet goes to the server local gateway that never saw the C2S packet, hence doesn't have the connection in its tables and is dropping it.

If that's the case, I suggest that the IPVPN be moved to dedicated interfaces/subnets rather than sharing the client subnet, so all packets must traverse both gateways in both directions.

Phoenix · ‎2024-04-08

Forget the IPVPN, that was my mistake. its just Layer 3 Routing, Im able to ping when i do static route on the computers on each side. I dont see any drop of packets i can see when i ping each side of the firewalls

Phoenix · ‎2024-04-08

Dont wanna change the LAYER 3 routing, is there a way for me to do this simple? I cant have static routes on every hosts.

the_rock · ‎2024-04-08

I have a suggestion...run ip r g command when it works and when it does not and compare.

if dst is 10.10.10.10, just run from expert ip r g 10.10.10.10

Andy

Phoenix · ‎2024-04-08

I should work with the right NAT configuration right?

the_rock · ‎2024-04-08

Thats always been key IT word...SHOULD lol. Yes, it should work, agree, but if it does not, maybe if you can send how you configure the NAT, we can verify.

Andy

Phoenix · ‎2024-04-08

Site A

src. dst. trans-src. trans-dst.
192.168.1.0/24 10.20.20.0/24 Original 10.20.20.254 - static
10.20.20.0/24 192.168.1.0/24 10.20.20.254-static Original

Site B
sr. dst. trans-src trans-dst
10.20.20.0/24 192.186.1.0/24 Orginal 192.168.1.254 - static
192.168.1.0/24 10.20.20.0/24 192.168.1.254-static Orignal

the_rock · ‎2024-04-09

Ah, ok, I see what we missed yesterday, good job!

Andy

Phoenix · ‎2024-04-09

Unable to do that right now, whats the best workaround?

emmap · ‎2024-04-09

You can potentially kludge it by configuring on the site A gateway a hideNAT for site A subnet behind the site A gateway for traffic to site B and vice-versa.

the_rock · ‎2024-04-09

That may work.

the_rock · ‎2024-04-07

I second what Val said. If you send us basic diagram (paint would do as well), it would give us better idea, so we can help you more.

Best,

Andy

the_rock · ‎2024-04-08

Just to give quick update on this, @Phoenix and I did remote session today and I am also fairly sure something with nat rule is missing here, so once thats sorted out, Im positive it will work.

Let me know when you are free Tuesday and we can do another zoom.

Best,

Andy

Are you a member of CheckMates?

NAT problem