Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Divothy
Participant

Accessing the internet with checkpoint FW

I have set up on my workstation environment a Checkpoint FW R80.10 vm. And after configuring it my other machines cannot access the internet.

The configuration is as follows:

I have several machines configured in a LAN segment together with an adapter of the firewall.

I have another adapter of the firewall configured in a NAT in order to access the internet.

All of my machines' default gateway is 192.168.1.1 (The ip of FW adapter in the LAN segment).

The machines inside the LAN can ping one another and also both IPs of the FW, but cannot access any address on the internet or 172.16.44.2.

When I try to ping addresses on the internet or 172.16.44.2 through the CLI of the firewall it does work.

 

diagram.png

My routing monitor is as follows:

routing monitor.png

and the only rule I have is:

only rule.png

What could be the error in my configuration, or what have I missed that still need to be configured?

 

 

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

You have not shown how you configured NAT in Check Point.
What is your precise NAT configuration with screenshots?

As a separate question, why R80.10 and not a later release?
R80.40 is the widely recommended release now and R80.10 is at least 3 years old.

0 Kudos
Divothy
Participant

This is what I have configured for the NAT. I haven't any touched any further configurations.

nat configuration.png

 

This release is the first one that I found, didn't think of looking for a newer one.

0 Kudos
PhoneBoy
Admin
Admin

How are your interfaces configured in the gateway object (under Network Management)?
Also what precise IP is listed in the General tab?

0 Kudos
Divothy
Participant

   The interfaces and the IP are configured as follows:

eth0.png

eth1.png

general ip.png

0 Kudos
Magnus-Holmberg
Advisor

Hi,

I have actually done a similar setup for check point lab.
Its multiple videos but it should include all steps for getting it to work.


Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Divothy
Participant

Not sure what I did wrong before, but following those videos did help. Thank you!

0 Kudos
amdhim0004
Contributor

please check if you are getting arp from next hope/gateway. (show arp dynamic all)

check route on the firewall (show route destination (destination IP)) 

You should able to ping the 172.16.44.2 from the firewall. (try ping -I eth0 172.16.44.2)

0 Kudos
Divothy
Participant

I do see the next gateway using "show arp dynamic all".

And I am able to ping the address when using "ping 172.16.44.2" but when using " ping -I eth0 172.16.44.2" I get "ping: bad preload value should be 1..65536"

amdhim0004
Contributor

Hi @Divothy 

Thanks. If you are able to ping the next hope. Then please move further.

Use below tcpdump and initiate the traffic from source to destination.

tcpdump -Peni any host 172.16.44.2 (this ip should be your destination IP)

You need access to expert mode to run the above command. 

0 Kudos
MartinTzvetanov
Advisor

Missing NAT configuration of CheckPoint or not properly configured network adapters of your virtualization software or even anti-spoofing somewhere between you and Internet

Divothy
Participant

How should NAT configuration be configured to CheckPoint then?

0 Kudos
Vincent_Bacher
Advisor
Advisor

In your scenario, the easiest nat rule would be to create one and let all columns default but translate source would be the firewall object.  Method set to hide

If the object main IP is the internal address, nat won't work.

Same for your auto nat config.

The n create a host object using same external address as firewall object and use this as hiding address.

Or use external address of the gateway as main address.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Divothy
Participant

I tried doing so but such a rule is failing in installation. It says it is invalid to use <Any> in Source of Address Translation, <Any> is valid only if the matching Translated column is <Original>.
I tried setting original source to the firewall object but that did not help.

The main IP of the object is the external

0 Kudos
Vladimir
Champion
Champion

Does the 172.16.44.2 have a route out to the Internet and is configured to to act as a gateway for 172.16.44.0 network?

As to ICMP replies from LAN, please either enable ICMP in Global properties, or add an explicit rule for ICMP allow + log in your policy.

Also, check the Networking Topology of the gateway and make sure that the interface with IP 172.16.44.152 is declared "External, leading to the Internet" and that the LAN interface configured accordingly.

Also, in Global properties, check "log Implied rules" to see extended troubleshooting data, such as antispoofing events.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events