This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
5 hours ago

Need help in understanding NAT in relation to mobile VPN traffic

HI all.

I changed the mask on the "CP_default_Office_Mode_addresses_pool" network group from /25 to /26. to make room for 4 nets.

My "CP default Office Mode address pool" range changed from 10.10.10.1-126 to 10.10.10.65 - 126.

(The plan was to reserve one of the nets for use in the ipassignement.conf file.  We need a handful of users to always get the same static ip address when WFH.)

I created a new network object that contained IPs in the range of 10.10.10.1-62.  I created my ipassignment.conf file and assigned 10 users with static ips from this new IP range.

I made sure to add this new group to my remote access encryption domain

We tested the new static IPs while signed into the mobile VPN and all seemed fine.  However, we were not able to access our CIFS file share server.  We couldn't ping it...

I was able to access other resources on my remote network.

I checked DNS - no issues.  No double entries.

When I ran fw monitor while pinging the CIFS server I was not receiving any ICMP replies back...

After checking the new network object I created I noticed that I did not have "Add automatic address translation rules" "Hide behind the gateway" checked.  

After checking the option to use "hide NAT"  and re-logging into the mobile access VPN, I was able to access my CIFS server.

Now for my question:

 

Why would I be able to ping other machines on the same network but not access this one IP until I enabled Hide NAT?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
10 Replies
the_rock
Legend
Legend
5 hours ago

Valid question, for sure. I know by default, OM net is set to hide behind gw for nat, thats been like that probaly since the begging of Check Point. Now, just to make sure, are you saying, say IP 10.10.10.100 was fine to access WITHOUT nat, but then say 10.10.10.99 was NOT?

Andy

0 Kudos
Joe_Kanaszka
Advisor
4 hours ago
In response to the_rock

Exactly!  I was able to ping 10.10.10.100 but not .99 

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to Joe_Kanaszka

Got it. Ok, so not sure if you can replicate the issue, but if you could, I would run below and compare.

Andy

-traceroute (see where it fails)

-from the fw, ip r g ip_address -> example : ip r g 10.10.10.99

-tcpdump on the fw for affected ip, ie tcpdump -enni any host 10.10.10.99

-maybe quick zdebug to see if anything gets dropped -> fw ctl zdebug + drop | grep 10.10.10.99

-any logs filtering for that IP

Thats all I can think off for now bro. Other than that, Im afriad not much we can offer unless problem is there, so it can be troubleshot.

Andy

0 Kudos
Joe_Kanaszka
Advisor
4 hours ago
In response to the_rock

On a side note:

What is the # ip r g "ip address" command?  Never seen that although I see what it does.

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to Joe_Kanaszka

Just shows you the path fw uses to get to whatever IP bro.

example in my lab.

Andy

[Expert@CP-GW:0]# ip r g 8.8.8.8
8.8.8.8 via 172.16.10.1 dev eth0 src 172.16.10.249
cache
[Expert@CP-GW:0]#

[Expert@CP-GW:0]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.16.10.1 0.0.0.0 UG 0 0 0 eth0
172.16.10.0 * 255.255.255.0 U 0 0 0 eth0
172.31.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.254.0 U 0 0 0 eth2
[Expert@CP-GW:0]#

0 Kudos
Joe_Kanaszka
Advisor
4 hours ago
In response to the_rock

Cool.  Thank u.

0 Kudos
Lesley
Leader Leader
Leader
5 hours ago

Could be a lot of reasons. Think about routing on network, servers etc.

Or even ACL that has been set on the CIFS server. The server does probably not know where to route the real ip or blocks it. 

Maybe it routes it wrong end it ends on the wrong interface of the firewall (then you get anti-spoofing messages or out of state)

Based on the info you shared it is very unlikely that it was a firewall problem and therefore I cannot help further. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(2)
Joe_Kanaszka
Advisor
4 hours ago
In response to Lesley

 

Based on the info you shared it is very unlikely that it was a firewall problem and therefore I cannot help further. 

Thank you.  Well - it sure does seem like a FW problem being that right after I enabled "Hide NAT" I was able to ping the server....

-------
(1)
the_rock
Legend
Legend
4 hours ago
In response to Joe_Kanaszka

Dont worry brother, no matter the issue, we can ALWAYS help, or at least guide you in the right direction.

Andy

Lesley
Leader Leader
Leader
4 hours ago
In response to Joe_Kanaszka

With NAT you change the outgoing IP. Not the firewall fault the that the CIFS server is not sending a ping reply to the real ip.

Is free advise here if you don't want to follow fine by me. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events