This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_222
Participant
‎2023-06-14 01:03 AM

Problem with NAT and ISP

Good afternoon.

We have ISP1 and ISP2 configured on the security gateway.
We also have NAT rules configured.
ISP1 uses the external address of the Security Gateway. And ISP2 uses 4 addresses: one external from the Security Gateway and 3 not on the gateway. Proxy ARP is configured for these 3 external addresses.

For some reason, with problems with one ISP, encountered the following situation:
1. The default route changes correctly (switches to the gateway of the desired ISP).
2. NAT rules are not working. The NAT rule above (E.g.: ISP1 was working and become unreachable, then the route is changed to ISP2. BUT the NAT rule works for ISP1 because it is upstream to ISP2).

To solve the NAT problem, we modified the NAT rules according to sk174197. We added RNGX objects. Here is how it worked: we had the same rules with RNGX1 and the rule was repeated for RNGX2.
NAT started working correctly (the addresses were hiding behind the right address, according to the automatic rule). But for some reason NAT didn't work for one subnet (there was no NAT in the logs, the checkpoint traffic let through) and the servers on that subnet didn't have Internet access.

Can you tell me what could be the problem?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-06-14 11:23 AM

Version/JHF of the gateway in question? (Or if it's an SMB, the firmware version)
Please explain what is meant by "the NAT rule works for ISP1 because it is upstream to ISP2)."
Also, showing the exact rules used would be helpful.
Can you also provide a simple network diagram?

0 Kudos
Oliver_222
Participant
‎2023-06-16 04:43 AM
In response to PhoneBoy

R81.10 JHF Take 55
3800 Appliance.
When we shut down one ISP, the NAT rule worked the same and users and servers had no access to the internet. But when we raised ISP2 higher than ISP1, the NAT rule worked for ISP2 and there was internet access (picture 1).
Setting NAT with RNGX (picture 2) - in this case everything worked correctly (as I think), the default route was changed to another provider, in the logs addresses were hidden behind the same provider. But only the subnet 172.16.0.0/24 didn't have Internet working.

1.png

2.png

3.png

   

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-16 12:16 PM
In response to Oliver_222

I recommend engaging the TAC here: https://help.checkpoint.com 

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-06-27 01:34 AM
In response to Oliver_222

did you fix the problem? i'm interested in a similar scenario

0 Kudos
Oliver_222
Participant
‎2023-06-27 01:53 AM
In response to CheckPointerXL

We are currently investigating the problem together with the TAC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events