cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Anu_Cherian
Nickel

R80.10 NAT issue

Jump to solution

Hi All,

We have recently moved to Static IP, and facing issues with Checkpoint NAT. We have a 3200 checkpoint firewall running R80.10. The ISP have their ONT and HP router connected and working fine. But when I connect the checkpoint to HP, i am not able to access internet. From the firewall I can ping HP interface and 8.8.8.8. But once i connect a client, i can ping checkpoint external IP, but cannot ping any outside IP. I have checked the NAT setting s, and Hide NAT is enabled. Appreciate your time and help.

Thank you !

1 Solution

Accepted Solutions
Vladimir
Pearl

Re: R80.10 NAT issue

Jump to solution

Provided that you have followed this:

Configuring a DHCP Server- WebUI
To allocate DHCP parameters to hosts
1. In the tree view, click Network Management > DHCP Server.
2. In the DHCP Server Subnet Configuration section, click Add.
The Add DHCP window opens. You now define a DHCP subnet on an Ethernet interface of the
Gaia device. Hosts behind the Gaia interface get IPv4 addresses from address pools in the
subnet.
3. Select Enable DHCP to enable DHCP for the subnet.
4. In the Subnet tab, enter the Network IP Address of the interface. Click Get from interface to
do this automatically.
5. Enter the Subnet mask.
6. In the Address Pool section, click Add and define the range of IPv4 addresses that the server
assigns to hosts.
7. Optional: Define a Default Lease in seconds, for host IPv4 addresses. This applies only if
clients do not request a unique lease time. If you do not enter a value, the configuration default
is 43,200 seconds.
8. Optional: Define a Maximum Lease in seconds, for host IPv4 addresses. This is the longest
lease available. If you do not enter a value, the configuration default is 86,400 seconds.
9. Optional: Click the Routing & DNS tab to define routing and DNS parameters for hosts:
• Default Gateway. The IPv4 address of the default gateway for the network hosts
• Domain Name. The domain name of the network hosts. For example, example.com.
• Primary DNS Server. The DNS server that the network hosts use to resolve hostnames.
• Secondary DNS Server. The DNS server that the network hosts use to resolve hostnames if
the primary server does not respond.
• Tertiary DNS Server. The DNS server that the network hosts use to resolve hostnames if
the primary and secondary servers do not respond.
10. Click OK.
11. Optional: Define DHCP subnets on other Gaia interfaces, as needed.
Network Management
Gaia Administration Guide R80.10 | 66
12. In the main DHCP Server page, select Enable DHCP Server.
13. Click Apply.
The DHCP server on Gaia is now configured and enabled.
You can now configure your network hosts to get their network parameters from the DHCP server
on Gaia.

You should probably create a rule allowing DHCP: Allow DHCP Traffic on Checkpoint Firewalls - Networking - Spiceworks 

16 Replies
Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

We have 6 usable IP address and one is assigned to HP interface and one to checkpoint external IP.

The Mgmt IP address is different from the external IP.

0 Kudos
Danny
Pearl

Re: R80.10 NAT issue

Jump to solution

Q1: What is SmartLog showing?

Q2: What is the output of the follwing command, when executed on your appliance while you are pinging 8.8.8.8 from your internal client.

fw monitor -e 'accept(src=8.8.8.8 or dst=8.8.8.8);'
Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Thanks for the prompt response Danny. I will share the results tomorrow

0 Kudos
Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Hi Danny,

I can ping 8.8.8.8 and other internet IP now. But now I cannot access any websites. Looks like some DNS resolve issue. Do I need to specify any DNS objects for accessing internet?

Thank you

0 Kudos

Re: R80.10 NAT issue

Jump to solution

Being able to successfully ping but not do anything else (such as DNS) can be indicative of an empty or misconfigured APCL/URLF layer.  This is because ping/ICMP is not technically an "application" and can be fully allowed by just the Network layer.  However DNS and HTTP are "applications", so not only must the initial packets of these be allowed by the Network layer, but the APCL/URLF layer (if present) must have an Accept action for them as well.  In the CCSA class labs I've had students forget to set the explicit and/or implied Cleanup rule action to "Accept" in their APCL/URLF layer (with Track set to None of course) and seen this confusing effect numerous times.  fw ctl zdebug drop to the rescue...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Thank you Tim 

Apologise for the delay in response. I was able to fix the issue by setting policies and the DNS is working now. When I thought the issues are all fixed, then there seems to be an issue with DHCP. We have three networks behind Checkpoint FW, Internal,Management and DMZ. We have DHCP enabled for all the interfaces, but when I connect the system to Checkpoint FW,I am not getting any DHCP address.

On the DMZ network I have one wireless router connected and which serves as a DHCP server for the DMZ clients. 

It seems that only static IP addressing is working for all checkpoint Interfaces for which DHCP is enabled.

I read on one of the thread that clearing the connection table on checkpoint may fix the issue . What could be the issue which is preventing Checkpoint to act as DHCP server.?

I assume, it is not a best practice to make Checkpoint DHCP server, but since there are only few clients behind the FW, it wouldn't take much resources. 

Really appreciate your advice. Thanks once again for your time and support

0 Kudos
Vladimir
Pearl

Re: R80.10 NAT issue

Jump to solution

Provided that you have followed this:

Configuring a DHCP Server- WebUI
To allocate DHCP parameters to hosts
1. In the tree view, click Network Management > DHCP Server.
2. In the DHCP Server Subnet Configuration section, click Add.
The Add DHCP window opens. You now define a DHCP subnet on an Ethernet interface of the
Gaia device. Hosts behind the Gaia interface get IPv4 addresses from address pools in the
subnet.
3. Select Enable DHCP to enable DHCP for the subnet.
4. In the Subnet tab, enter the Network IP Address of the interface. Click Get from interface to
do this automatically.
5. Enter the Subnet mask.
6. In the Address Pool section, click Add and define the range of IPv4 addresses that the server
assigns to hosts.
7. Optional: Define a Default Lease in seconds, for host IPv4 addresses. This applies only if
clients do not request a unique lease time. If you do not enter a value, the configuration default
is 43,200 seconds.
8. Optional: Define a Maximum Lease in seconds, for host IPv4 addresses. This is the longest
lease available. If you do not enter a value, the configuration default is 86,400 seconds.
9. Optional: Click the Routing & DNS tab to define routing and DNS parameters for hosts:
• Default Gateway. The IPv4 address of the default gateway for the network hosts
• Domain Name. The domain name of the network hosts. For example, example.com.
• Primary DNS Server. The DNS server that the network hosts use to resolve hostnames.
• Secondary DNS Server. The DNS server that the network hosts use to resolve hostnames if
the primary server does not respond.
• Tertiary DNS Server. The DNS server that the network hosts use to resolve hostnames if
the primary and secondary servers do not respond.
10. Click OK.
11. Optional: Define DHCP subnets on other Gaia interfaces, as needed.
Network Management
Gaia Administration Guide R80.10 | 66
12. In the main DHCP Server page, select Enable DHCP Server.
13. Click Apply.
The DHCP server on Gaia is now configured and enabled.
You can now configure your network hosts to get their network parameters from the DHCP server
on Gaia.

You should probably create a rule allowing DHCP: Allow DHCP Traffic on Checkpoint Firewalls - Networking - Spiceworks 

Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Thank you Vladimir

Yes, I followed all of the steps for DHCP. Even though I had DHCP policies enabled, I will try your suggested link and let you know.

Thank you

0 Kudos

Re: R80.10 NAT issue

Jump to solution

Also just for future reference, make sure you are setting up DHCP Relay the "new" way which is much improved in R77.20 and later: sk104114: Configuration of IPv4 BOOTP/DHCP Relay using new services instead of the old/legacy way: sk98839: Configuration of IPv4 BOOTP/DHCP Relay using legacy services

Depending on what DHCP Relay documentation you are working with, it is not always clear which method is being referenced which can be quite confusing.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Vladimir
Pearl

Re: R80.10 NAT issue

Jump to solution

Tim, I do not think that he is relaying, what I gathered is that he is serving DHCPs from the GAiA.

Would the relaying configuration still be necessary or pertinent in this or similar case(s)?

Re: R80.10 NAT issue

Jump to solution

You're right Vladimir Yakovlev‌, misread his post.  DHCP Relay setup is not necessary for straight-up DHCP.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Hi Tim, I was trying to get the DHCP services to my internal network. No relay required as we don't have any DHCP services outside of our network.

Appreciate your time and support

Thank you so much

0 Kudos
Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Thank you Vladimir

The link :  Allow DHCP Traffic on Checkpoint Firewalls - Networking - Spiceworks, resolved the issue. 

I was using rules/policies with services - dhcp-request and dhcp-reply, which I thought would help in DHCP requests. I declared source as firewall, and destination as internal network, and it didn't work as desired. 

Looks like dhcp-rep-localmodule and dhcp-req-localmodule is the correct one for local dhcp requests. Please do note that there is a delay for the DHCP services to get activated. 

Thank you so much for your time and help

Vladimir
Pearl

Re: R80.10 NAT issue

Jump to solution

Did you check the obvious: i.e.:

1. if you have a route on the router pointing entire /29 network to the Check Point's external interface's IP?

2. If you have a default route configured on Check Point with your router as the Next Hop?

3. If you are using "Hide NAT", are you hiding behind Gateway's IP or one of the other 6?

4. Do you permit ICMP in the rule base or the Global Properties? 

Anu_Cherian
Nickel

Re: R80.10 NAT issue

Jump to solution

Thank you Vladimir

Yes, I have one route pointing /29 to Checkpoint external interface i.e eth1 (not IP address)

I have default route configured on checkpoint with router as next Hop

Hide NAT is set as hiding behind Gateway's IP

ICMP is permitted in Global properties

0 Kudos
Vladimir
Pearl

Re: R80.10 NAT issue

Jump to solution

If you can collect tcpdump on the router, please check if the replies for ICMP generated from behind checkpoint are coming back. If they do, check the destination mac address in replies. Compare that with mac of Check Point's external interface and let me know what you are seeing.

When you are saying that you have a route pointing to the checkpoint's external interface eth1, please explain how it is done. If I recall correctly, In CIsco world, you could point to its own interface as a gateway, but not at the physical port of the connected device.

Incidentally, "Cisco highly recommends that you specify the outbound interface and the next hop IP address when you configure static routes." Specify a Next Hop IP Address for Static Routes - Cisco 

Your router's port may be ARPing the entire /29.