This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
madu1
Participant
Monday

NAT with two ISP lines

I've just added a new/second ISP line to my gateway and made this my primary ISP line.  ISP Redundancy is configured.

LAN traffic to the Internet leaves via the default gateway of ISP line 1 - the new line.  All good.

I still have a load of servers with static NAT on what is now the secondary ISP line.  These no longer work.  Tcpdump shows traffic arriving from the Internet via ISP line 2, but return traffic routes out via the default gateway on ISP 1.  Asymmetric routing...

How do I get this traffic to return via the interface it arrived on - back via ISP 2?

I've got other gateways with the same dual ISP configuration, and they work fine. Return traffic goes back out via the interface from which it arrived.  But not this gateway.  Any ideas why not and how to fix it?

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
Monday

Are all the gateways on a common version & JHF level?

CCSM R77/R80/ELITE
0 Kudos
madu1
Participant
Monday
In response to Chris_Atkinson

Hi Chris,

Yeah, R81.20 Take 26 (cluster).

0 Kudos
the_rock
Legend
Legend
Monday

Do you have simple diagram?

Andy

0 Kudos
PhoneBoy
Admin
Admin
Monday

So they're all Check Point gateways and one set of them is having an issue?

0 Kudos
madu1
Participant
Tuesday
In response to PhoneBoy

I think just ignore the line where I said I have other gateways...  I was simply saying here to compare to other cases with dual ISP where I can still access the NAT address on the second/standby line with no problem - but it's not working on this particular gateway.

This of this case evolution as:

  • I have a single gateway with a single ISP line.  (ISP-A)
  • Static NAT assigned to an internal host - from the ISP-A subnet.
  • Then I add an additional ISP line - ISP-B.
  • I make ISP-B the "primary" Internet circuit and change the Default Gateway on the firewall to use ISP-B.
  • I configure ISP Redundancy in HA mode, with ISP-B at the top of the list.
  • Once I do that, people on the Internet can no longer access the server via the NAT on ISP-A.  Tcpdump shows traffic coming in on the ISP-A interface, getting to the internal host, but then returning via ISP-B and the connection doesn't work.
  • SYN in through one interface...  SYN-ACK back via a different interface.  Asymmetric routing.

So my question was how can I keep things working when it has a static NAT on the other ISP line?

Or in other words - how can I make inbound traffic arriving on the ISP-A interface also return out of the ISP-A interface so I don't get asymmetric routing?

0 Kudos
Lesley
Advisor
Advisor
Monday

This will give guidance I suspect:

https://support.checkpoint.com/results/sk/sk25152

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
madu1
Participant
Tuesday
In response to Lesley

Thanks @Lesley.  This seems interesting but I suspect it isn't what I need.  I think my issue relates to getting return/reply traffic back out of the interface it arrived at.  My interpretation of that SK is for packets initiated from the LAN outbound.  In my case packets are initiated from the Internet inbound, which arrive fine, but the reply traffic leaves from a different interface.

So SYN comes into ISP-A on eth0, but the SYN-ACK leaves via eth1 (the new ISP line, and new Default Gateway).  How do I get the SYN-ACK to return via eth0 instead, to avoid asymmetric routing?

I'm assuming that's my issue here because once the default gateway is set to ISP-B, none of the NAT's on ISP-A work any more.  If I add a static route to my Internet test machine via ISP-A then I can access everything normally again.  So it seems stateful reply traffic is following the routing table and breaking the connections.   While ISP-B is default, I simply need a way to still be able to access NAT's on ISP-A.

Maybe if I hide NAT behind the ISP-A interface IP on the way in that would work?  It's horribly messy, but worth a try.

0 Kudos
Lesley
Advisor
Advisor
Tuesday
In response to madu1

Hmmm could it be it is because the setup is in HA mode? Instead of 50/50? 

Maybe check this out, many tips there to verify:

https://support.checkpoint.com/results/sk/sk61692

If you are running load-sharing:

https://support.checkpoint.com/results/sk/sk34812

Hide NAT should be configured. Every connection without Hide Address Translation will not be included in the ISP Redundancy routing and go through the default primary gateway. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events