This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mark_Wheeler
Participant
‎2020-03-10 04:53 AM
Jump to solution

Problem with internal Firewall between two LAN segments without NAT

Hi

I have a internal Firewall which divides a LAN with lower security from a LAN with higher security. For this reason it does not need to NAT only routing and packetfiltering according to the rules.

However, i can not seem to get it to work without NAT. I have disabled NAT in the policy, in the gatway config, and also in the NAT section. But nothing goes through. For testing i have set the ruleset just any,any,any,any rules from an to both LAN (internal and external).

As soon as i enable NAT (hide NAT), packets are going through. But that's not what i need.

IP spoofing is also disabled and the network with the lower security is marked as external in the topology config as well as the other network with higher security, which is behind the FW, is marked as internal Network.

Am i missing something, do i have to enable routing explicitly or what could be the problem?

Btw, it's on 77.30 because it's a LAB environment which is a prep for a migration.

Cheers and thanks in advance,

Mark

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-03-10 06:52 AM
Jump to solution

It really sounds like you do not have a route to the gateway for the network that is behind the gateway.
Packets are going through but the return traffic does not seem to know how to get back.
Regards, Maarten

View solution in original post

3 Replies
Muazzam
Contributor
Contributor
‎2020-03-10 06:06 AM
Jump to solution

I know that you can achieve this without doing the address translation (static or hide). Depending upon your setup you may need to add a No-translation rule on top. One easy way is to run tcpdump and/or "fw monitor" to see at what point your packets are getting lost.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-03-10 06:52 AM
Jump to solution

It really sounds like you do not have a route to the gateway for the network that is behind the gateway.
Packets are going through but the return traffic does not seem to know how to get back.
Regards, Maarten
Christopher__C2
Employee
Employee
‎2020-03-10 07:28 AM
Jump to solution

This does sound like a routing issue.
Assuming the "internal" lan is using the firewall as the default gateway, and the "external" lab is using something else as the default gateway. That something else has to have a route to forward the "internal" lan IP addresses back to the firewall.
When you enable the hide NAT, that external network will then forward the traffic back to the firewall using the firewall's IP address, which it believes the traffic came from, and does not need to know a gateway address for the internal lan, unaware that the IP addresses being used exist.
It will definitely work without NAT. This is a very common setup for many customers. Routing on the firewall would be enabled by default as long as a policy is installed (will be disabled when the firewall services stop, and IP forwarding does need to be enabled for the firewall to forward traffic when NAT rules are used, so I would be confident it is working), but the firewall will not automatically advertise routing information unless a protocol (OSPF, RIP, BGP, etc.) is configured in GAIA (via clish), so other routers and hosts on the network that would to direct traffic to the firewall as the nexthop gateway would not automatically have this information.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events