Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
madu1
Contributor
Jump to solution

NAT with two ISP lines

I've just added a new/second ISP line to my gateway and made this my primary ISP line.  ISP Redundancy is configured.

LAN traffic to the Internet leaves via the default gateway of ISP line 1 - the new line.  All good.

I still have a load of servers with static NAT on what is now the secondary ISP line.  These no longer work.  Tcpdump shows traffic arriving from the Internet via ISP line 2, but return traffic routes out via the default gateway on ISP 1.  Asymmetric routing...

How do I get this traffic to return via the interface it arrived on - back via ISP 2?

I've got other gateways with the same dual ISP configuration, and they work fine. Return traffic goes back out via the interface from which it arrived.  But not this gateway.  Any ideas why not and how to fix it?

0 Kudos
1 Solution

Accepted Solutions
madu1
Contributor

So the answer turned out to be easy, and was completely my error.

It requires correct ISP Redundancy config.  I'd forgotten to put the new ISP line into ISP Redundancy, so the firewall had no route out of that new interface, hence just resorting to the default route out of the wrong interface.  Once this was entered everything immediately worked 🙂 

View solution in original post

0 Kudos
11 Replies
Chris_Atkinson
Employee Employee
Employee

Are all the gateways on a common version & JHF level?

CCSM R77/R80/ELITE
0 Kudos
madu1
Contributor

Hi Chris,

Yeah, R81.20 Take 26 (cluster).

0 Kudos
the_rock
Legend
Legend

Do you have simple diagram?

Andy

0 Kudos
PhoneBoy
Admin
Admin

So they're all Check Point gateways and one set of them is having an issue?

0 Kudos
madu1
Contributor

I think just ignore the line where I said I have other gateways...  I was simply saying here to compare to other cases with dual ISP where I can still access the NAT address on the second/standby line with no problem - but it's not working on this particular gateway.

This of this case evolution as:

  • I have a single gateway with a single ISP line.  (ISP-A)
  • Static NAT assigned to an internal host - from the ISP-A subnet.
  • Then I add an additional ISP line - ISP-B.
  • I make ISP-B the "primary" Internet circuit and change the Default Gateway on the firewall to use ISP-B.
  • I configure ISP Redundancy in HA mode, with ISP-B at the top of the list.
  • Once I do that, people on the Internet can no longer access the server via the NAT on ISP-A.  Tcpdump shows traffic coming in on the ISP-A interface, getting to the internal host, but then returning via ISP-B and the connection doesn't work.
  • SYN in through one interface...  SYN-ACK back via a different interface.  Asymmetric routing.

So my question was how can I keep things working when it has a static NAT on the other ISP line?

Or in other words - how can I make inbound traffic arriving on the ISP-A interface also return out of the ISP-A interface so I don't get asymmetric routing?

0 Kudos
Lesley
Leader Leader
Leader

This will give guidance I suspect:

https://support.checkpoint.com/results/sk/sk25152

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
madu1
Contributor

Thanks @Lesley.  This seems interesting but I suspect it isn't what I need.  I think my issue relates to getting return/reply traffic back out of the interface it arrived at.  My interpretation of that SK is for packets initiated from the LAN outbound.  In my case packets are initiated from the Internet inbound, which arrive fine, but the reply traffic leaves from a different interface.

So SYN comes into ISP-A on eth0, but the SYN-ACK leaves via eth1 (the new ISP line, and new Default Gateway).  How do I get the SYN-ACK to return via eth0 instead, to avoid asymmetric routing?

I'm assuming that's my issue here because once the default gateway is set to ISP-B, none of the NAT's on ISP-A work any more.  If I add a static route to my Internet test machine via ISP-A then I can access everything normally again.  So it seems stateful reply traffic is following the routing table and breaking the connections.   While ISP-B is default, I simply need a way to still be able to access NAT's on ISP-A.

Maybe if I hide NAT behind the ISP-A interface IP on the way in that would work?  It's horribly messy, but worth a try.

0 Kudos
Lesley
Leader Leader
Leader

Hmmm could it be it is because the setup is in HA mode? Instead of 50/50? 

Maybe check this out, many tips there to verify:

https://support.checkpoint.com/results/sk/sk61692

If you are running load-sharing:

https://support.checkpoint.com/results/sk/sk34812

Hide NAT should be configured. Every connection without Hide Address Translation will not be included in the ISP Redundancy routing and go through the default primary gateway. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
CheckPointerXL
Advisor
Advisor

Did you try to configure a PBR for the internal host natted on isp A?

0 Kudos
madu1
Contributor

So the answer turned out to be easy, and was completely my error.

It requires correct ISP Redundancy config.  I'd forgotten to put the new ISP line into ISP Redundancy, so the firewall had no route out of that new interface, hence just resorting to the default route out of the wrong interface.  Once this was entered everything immediately worked 🙂 

0 Kudos
the_rock
Legend
Legend

Good job @madu1 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events