This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2025-01-22 02:27 AM

Public destination nat not working

We have a very simple setup an external router which routes a dedicated public ip range (1.1.1.1) to an external Check Point firewall. On this firewall we use public nat range to publish a service however there is no destination nat performed, the packet is forwarded towards the internal interface and spoofing blocks the traffic. The router and firewall are connected via another ip subnet so the check point firewall public interface is configured on another subnet not belonging to 1.1.1.x. The external interface is configured to the internet allowing all source IP.

The original packet is coming in from the correct public interface we validated via tcpdump, so the issue here is that simply the destination nat is not performed.

The global properties are set to perform pre nat so on the interface where is arrives. We tried to move the manual nat rules higher in the rulebase but still no luck with this.

We have similar setup working elsewhere but here the destination nat rule does not seem to be matched, executed, any ideas how to fix this, would could be the problem here?

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-01-22 02:54 AM

Is this an R81.20 gateway, what does the NAT rule look like and how are you testing?

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator
‎2025-01-22 04:08 AM
In response to Chris_Atkinson

yes is it r81.20 we are in fact forwarding UDP 500 coming from public IP on the internet arriving on the external interface of the firewall and this needs to be destination static natted to private IP and arrive on an internal firewall. The nat rule is basically saying source original 1.1.1.1 destination 2.2.2.2  translated destination 10.0.0.1 (example). so we see src 1.1.1.1 towards destination 2.2.2.2 arriving on the firewall and then we see it leaving the firewall on internal interface (which is the default route) with no destination NAT occuring which is very strange to say the least.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-22 08:19 AM
In response to dehaasm

Does the gateway in question have VPN enabled on it (either the VPN Blade or Mobile Access)?
Either way, I think this will require a TAC case for troubleshooting: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top