Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

NAT Source Port manipulation

Hello Checkmates

 

I'm currently dealing with an issue for a client and need some guidance from the community.

 

I have attached a diagram showing the traffic flow. which I have summarised below:

The client establishes a site to site VPN from their location C to their location A. All traffic flows through a Checkpoint Firewall running R80.x (think of it like we are their ISP), at the point of exit we NAT the traffic from their source IP (C) to ours (B) as well as change the source port number to Y.

 

The issue is that when the VPN fails for any reason and reestablishes, it is renatted to a different source Port (Z) which is seen as a new tunnel at the destination and this breaks the clients communication as all comms should remain on the original port (Y). 

The question: Is there a way to set a NAT or anything else on the firewall that woud say, if traffic is sourced from IP address C then use permanently source port Y. I suspect that I would also have to put some sort of reservation on that port so that it is not used. but I'm not sure that this is possible.

 

Any insights/thoughts would be appreciated.

 

Thanks

 

 

0 Kudos
4 Replies
Highlighted
Admin
Admin

Unfortunately, the diagram doesn't really clarify the situation at all.

Is Site C terminating VPN on Site B or only going through Site B to terminate on Site A?
Also, are you doing a static NAT or a hide NAT?
Because a static NAT would not change the source port at all from what the client specifies.
When you are doing a hide NAT, you have zero control over the source port and can't specify/change it to suit your desires.
0 Kudos
Highlighted
Iron

Hi Dameon

the VPN is initiated by Site C goes through Site B where it is natted (Hide NAT) and terminates on Site A. Based on the information you provided we would need to change the nat to a static NAT.

Would you know if there is a way to do a dynamic nat pool, the address wouldn't be a 1-to-1 but for that session + x Hours it wouldn't change (like a DHCP lease), if the session drops for more than an hour it'll pick up the same public IP again when it reconnects.
0 Kudos
Highlighted
Admin
Admin

There is IP Pool NAT available, but I don't think the timeout is adjustable and, offhand, not sure what the timeout is.
Enable it in Global Properties:

Screen Shot 2020-07-10 at 11.02.20 AM.png

Then you can change the settings in the relevant gateway object: 

Screen Shot 2020-07-10 at 11.03.21 AM.png

See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Highlighted
Iron

Excellent,

The article you referred shows that the IP NAT Pool timer is configurable. I will give this a try and let you know how we get on.

IP-NAT-Pool.PNG

Thank you.

0 Kudos