- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Accessing the internet with checkpoint FW
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accessing the internet with checkpoint FW
I have set up on my workstation environment a Checkpoint FW R80.10 vm. And after configuring it my other machines cannot access the internet.
The configuration is as follows:
I have several machines configured in a LAN segment together with an adapter of the firewall.
I have another adapter of the firewall configured in a NAT in order to access the internet.
All of my machines' default gateway is 192.168.1.1 (The ip of FW adapter in the LAN segment).
The machines inside the LAN can ping one another and also both IPs of the FW, but cannot access any address on the internet or 172.16.44.2.
When I try to ping addresses on the internet or 172.16.44.2 through the CLI of the firewall it does work.
My routing monitor is as follows:
and the only rule I have is:
What could be the error in my configuration, or what have I missed that still need to be configured?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not shown how you configured NAT in Check Point.
What is your precise NAT configuration with screenshots?
As a separate question, why R80.10 and not a later release?
R80.40 is the widely recommended release now and R80.10 is at least 3 years old.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I have configured for the NAT. I haven't any touched any further configurations.
This release is the first one that I found, didn't think of looking for a newer one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are your interfaces configured in the gateway object (under Network Management)?
Also what precise IP is listed in the General tab?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The interfaces and the IP are configured as follows:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have actually done a similar setup for check point lab.
Its multiple videos but it should include all steps for getting it to work.
Regards,
Magnus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what I did wrong before, but following those videos did help. Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please check if you are getting arp from next hope/gateway. (show arp dynamic all)
check route on the firewall (show route destination (destination IP))
You should able to ping the 172.16.44.2 from the firewall. (try ping -I eth0 172.16.44.2)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do see the next gateway using "show arp dynamic all".
And I am able to ping the address when using "ping 172.16.44.2" but when using " ping -I eth0 172.16.44.2" I get "ping: bad preload value should be 1..65536"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Divothy
Thanks. If you are able to ping the next hope. Then please move further.
Use below tcpdump and initiate the traffic from source to destination.
tcpdump -Peni any host 172.16.44.2 (this ip should be your destination IP)
You need access to expert mode to run the above command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing NAT configuration of CheckPoint or not properly configured network adapters of your virtualization software or even anti-spoofing somewhere between you and Internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How should NAT configuration be configured to CheckPoint then?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your scenario, the easiest nat rule would be to create one and let all columns default but translate source would be the firewall object. Method set to hide
If the object main IP is the internal address, nat won't work.
Same for your auto nat config.
The n create a host object using same external address as firewall object and use this as hiding address.
Or use external address of the gateway as main address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried doing so but such a rule is failing in installation. It says it is invalid to use <Any> in Source of Address Translation, <Any> is valid only if the matching Translated column is <Original>.
I tried setting original source to the firewall object but that did not help.
The main IP of the object is the external
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the 172.16.44.2 have a route out to the Internet and is configured to to act as a gateway for 172.16.44.0 network?
As to ICMP replies from LAN, please either enable ICMP in Global properties, or add an explicit rule for ICMP allow + log in your policy.
Also, check the Networking Topology of the gateway and make sure that the interface with IP 172.16.44.152 is declared "External, leading to the Internet" and that the LAN interface configured accordingly.
Also, in Global properties, check "log Implied rules" to see extended troubleshooting data, such as antispoofing events.
