Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sangeeth_N
Contributor
Jump to solution

i I o O[FW Monitor] all via same interface

 

Setup :                      External------------->[Checkpoint]-----------> DMZ

 

Configured a static NAT for a server hosted in DMZ . When trying to access the same from the external network, the traffic is reaching the External  interface and going out via External interface itself instead of DMZ interface.

This is observed when a packet capture is done i, I, o, O all are observed on the same External interface  [using fw monitor].

Any specific reason for this weird issue? anybody encountered the same issue?

Suggestions will be helpful.

Thanks in Advance...

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

In the SmartConsole NAT Global Properties is "translate destination on client side" unchecked for the type of NAT config (Automatic vs. Manual) you are using?  If so you will need a static host-based route added to the firewall's routing table like this:

External NAT Address/32 -> Real Server DMZ address

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

4 Replies
Timothy_Hall
Legend Legend
Legend

In the SmartConsole NAT Global Properties is "translate destination on client side" unchecked for the type of NAT config (Automatic vs. Manual) you are using?  If so you will need a static host-based route added to the firewall's routing table like this:

External NAT Address/32 -> Real Server DMZ address

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Maarten_Sjouw
Champion
Champion
Or you need to turn the option ON, which is by far the better way to solve it. There are very few reasons to not do that.
Keep in mind that in older -migrated many times- setups, this was the default. Also watch out that you could break things when you change this without double check on other inbound NAT's.
Regards, Maarten
Wolfgang
Authority
Authority

If you don‘t see any NAT translated packet in the four states you followed Tim’s suggestions.

the packets comes in with an external address to an address address of the external interface. It is processed through all firewall states and after I is handled via the routing daemon. If no NAT occurs, it‘s routed back to the external address of the sending system.

You have To set the host route or enable translation on client site. 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Please copy the output of  the following command into the forum, then we can see what's going on.

# fw monitor -p all -e "accept(<your filter>);"

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events