This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ilmo_Anttonen
Collaborator
‎2018-11-08 12:02 PM
Jump to solution

Hide NAT issues with virtual addresses

Hi,

In a scenario where I have a lets say /29 routable network and I use one of the addresses for my Internet interface. Behind this address I hide most of my Internal networks, which works just fine. Then I want to hide my guest network behind one of the remaining addresses. Or maybe a SIP server because my ISP want's my SIP traffic on it's own IP address. I want to use hide method so that I can hide more objects behind that address in the future

So, I either make a manual entry like:

Src addrDst addrServiceXlate SrcXlate Dst

Xlate Service

RFC1918-serversome-server-on-the-Internet5060(H)One-of-my-ext-addrOriginalOriginal
RFC1918-Guest_netanyany(H)One-of-my-ext-addrOriginalOriginal

Or I can select hide behind one of my external addresses on the network/host object.


I make sure these NAT rules come before any automatic or other rules that would affect the result and my gateway is not hiding these addresses. I have also made sure the ARP boxes are ticked under global properties NAT section. My Internet interface IP address is defined with the /29 mask. If i type 'route' in the cli the network is in the table.

If I hide these hosts behind the gateway address it all works. 
Where do I look?

I am asking because I recently found this problem at two of my clients and I haven't figured it out yet. The affected environments are R80.20M1 Mgmt + R80.10 GW and full R80.20.

/ Ilmo

1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2018-11-08 01:36 PM
In response to Ilmo_Anttonen
Jump to solution

I believe this is described here:

Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10 

Automatic Proxy ARP works fine with Statically NATed objects out of the box though, if you are using NAT definition in the properties of the objects themselves, not the Manual NAT rules.

View solution in original post

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2018-11-08 12:50 PM
Jump to solution

Ilmo, could you state what is the problem that you are seeing?

Perhaps I am missing something, but I couldn't figure out what it is from your post.

0 Kudos
Ilmo_Anttonen
Collaborator
‎2018-11-08 01:09 PM
In response to Vladimir
Jump to solution

The exempel NAT doesn’t work. I was wondering if there are any obvious issues or pitfalls with this configuration. 

I haven’t had time to investigate more than briefly on the first site and today I encountered it again at another client site. 

The outside NAT address does not show when I run fw ctl arp and tcpdump on the outside interface shows no matching traffic. On the inside I see the traffic. That’s pretty much all I had time to check so far.  

0 Kudos
Vladimir
Champion
Champion
‎2018-11-08 01:36 PM
In response to Ilmo_Anttonen
Jump to solution

I believe this is described here:

Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10 

Automatic Proxy ARP works fine with Statically NATed objects out of the box though, if you are using NAT definition in the properties of the objects themselves, not the Manual NAT rules.

0 Kudos
Ilmo_Anttonen
Collaborator
‎2018-11-08 02:02 PM
In response to Vladimir
Jump to solution

Yes, that looks spot on!

I suggested testing the object hide NAT to see if it would change anything but they said that it wouldn't fly because the NAT rule would be shadowed by the higher up manual entries in the NAT policy. But looks like it would work! I will test it on next occasion and report back. Many thanks!

0 Kudos
Vladimir
Champion
Champion
‎2018-11-08 02:17 PM
In response to Ilmo_Anttonen
Jump to solution

You are welcome.

Please do let us know if this is the right solution.

0 Kudos
Ilmo_Anttonen
Collaborator
‎2018-11-08 11:28 PM
In response to Vladimir
Jump to solution

I asked my client to test the solution and also gave them the possibility to create a manual proxy-arp in the web GUI, if short on time. They added the proxy-arp in the web GUI and it worked. I will try the solution provided in sk114395 at the other client site. But I'm certain the result will be the same.

Again, many thanks!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events