Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Robin_Gruyters
Explorer

Hairpin NAT not working on 1490 with R77.20.70

I need to configure a hairpin NAT on my gateway to allow Sonos connect to the internal Plex server.

I have defined a server in the Firewall -> Servers section and configured it with the option "Force translated traffic to return to the gateway", which stated "Allows access from internal networks to the external IP address of the server via local switch".

When sending traffic I can see that the gateway is allowing the traffic to pass, but it sends a reset back.

[vs_0][fw_2] LAN1:i[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62339 -> 56789 .S.... seq=5b68c0d2 ack=00000000
[vs_0][fw_2] LAN1:I[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62339 -> 56789 .S.... seq=5b68c0d2 ack=00000000
[vs_0][fw_2] LAN1:i[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62340 -> 56789 .S.... seq=1fbd82fb ack=00000000
[vs_0][fw_2] LAN1:I[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62340 -> 56789 .S.... seq=1fbd82fb ack=00000000
[vs_0][fw_2] LAN1:o[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14750
TCP: 56789 -> 62339 ..R.A. seq=00000000 ack=5b68c0d3
[vs_0][fw_2] LAN1:O[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14750
TCP: 56789 -> 62339 ..R.A. seq=00000000 ack=5b68c0d3
[vs_0][fw_2] LAN1:o[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14751
TCP: 56789 -> 62340 ..R.A. seq=00000000 ack=1fbd82fc
[vs_0][fw_2] LAN1:O[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14751
TCP: 56789 -> 62340 ..R.A. seq=00000000 ack=1fbd82fc

The logging shows that all translated info is zero. (see attachment)

How can I get this to work?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

What was the fw monitor syntax you used to generate the above output?

0 Kudos
Robin_Gruyters
Explorer

```
fw monitor -e 'host(178.84.193.195), accept;'

```

0 Kudos
Robin_Gruyters
Explorer

I have also checked with `fw ctl zdebug + drop` if traffic is blocked by the firewall, but nothing came up.

0 Kudos
Hugo_vd_Kooij
Advisor

Why is there only traffic on LAN1? What other interface is in use where the connection should leave the firewall?

If NAT is applied make sure you don't filter on the NATtes addresses.

You might be missing ICMP traffic here that might tell you what is going on.

0 Kudos
Robin_Gruyters
Explorer

Because other traffic isn't showing. (cut out)

At the moment of testing no other traffic (as much) is showing. (some DNS, but as much further. no ICMP redirects if you are wondering)

The client (172.31.13.79) needs to connect to the external (WAN) IP, 178.84.193.195, by using a hairpin NAT. The "Force translated traffic to return to the gateway" option on the 1490 indicates that is allowing this, but somehow it doesn't work on my gateway.

Check Point has a SK available for this purpose: How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway 

0 Kudos
Pedro_Espindola
Advisor

The option "Force translated traffic to return to the gateway" might be causing the server to reject the connection for some reason.

Is the 1490 the default gateway of this server? If it is, then try this:

  1. Uncheck "Force translated traffic to return to the gateway"
  2. Create the incoming NAT rule for the required service
  3. Create a return NAT rule src:Server - dst:any - service:<desired-service> - Xlatedsrc:
    178.84.193.195 - Xlatedst: Original - Xlatedsvc:Original

That is all I do and it usually works well. However, this won't work for other hosts in the same network.

0 Kudos
Hugo_vd_Kooij
Advisor

Can you throw in a drawing? That will help to focus on the right issues.

0 Kudos