This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sangeeth_N
Contributor
‎2019-03-19 05:05 AM
Jump to solution

i I o O[FW Monitor] all via same interface

 

Setup :                      External------------->[Checkpoint]-----------> DMZ

 

Configured a static NAT for a server hosted in DMZ . When trying to access the same from the external network, the traffic is reaching the External  interface and going out via External interface itself instead of DMZ interface.

This is observed when a packet capture is done i, I, o, O all are observed on the same External interface  [using fw monitor].

Any specific reason for this weird issue? anybody encountered the same issue?

Suggestions will be helpful.

Thanks in Advance...

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2019-03-19 06:45 AM
Jump to solution

In the SmartConsole NAT Global Properties is "translate destination on client side" unchecked for the type of NAT config (Automatic vs. Manual) you are using?  If so you will need a static host-based route added to the firewall's routing table like this:

External NAT Address/32 -> Real Server DMZ address

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

4 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-03-19 06:45 AM
Jump to solution

In the SmartConsole NAT Global Properties is "translate destination on client side" unchecked for the type of NAT config (Automatic vs. Manual) you are using?  If so you will need a static host-based route added to the firewall's routing table like this:

External NAT Address/32 -> Real Server DMZ address

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Maarten_Sjouw
Champion
Champion
‎2019-03-19 09:46 AM
In response to Timothy_Hall
Jump to solution

Or you need to turn the option ON, which is by far the better way to solve it. There are very few reasons to not do that.
Keep in mind that in older -migrated many times- setups, this was the default. Also watch out that you could break things when you change this without double check on other inbound NAT's.
Regards, Maarten
Wolfgang
Authority
Authority
‎2019-03-19 11:54 AM
Jump to solution

If you don‘t see any NAT translated packet in the four states you followed Tim’s suggestions.

the packets comes in with an external address to an address address of the external interface. It is processed through all firewall states and after I is handled via the routing daemon. If no NAT occurs, it‘s routed back to the external address of the sending system.

You have To set the host route or enable translation on client site. 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-19 12:16 PM
Jump to solution

Please copy the output of  the following command into the forum, then we can see what's going on.

# fw monitor -p all -e "accept(<your filter>);"

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top