Re: Hairpin NAT not working on 1490 with R77.20.70

Robin_Gruyters · ‎2017-11-27

I need to configure a hairpin NAT on my gateway to allow Sonos connect to the internal Plex server.

I have defined a server in the Firewall -> Servers section and configured it with the option "Force translated traffic to return to the gateway", which stated "Allows access from internal networks to the external IP address of the server via local switch".

When sending traffic I can see that the gateway is allowing the traffic to pass, but it sends a reset back.

[vs_0][fw_2] LAN1:i[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62339 -> 56789 .S.... seq=5b68c0d2 ack=00000000
[vs_0][fw_2] LAN1:I[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62339 -> 56789 .S.... seq=5b68c0d2 ack=00000000
[vs_0][fw_2] LAN1:i[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62340 -> 56789 .S.... seq=1fbd82fb ack=00000000
[vs_0][fw_2] LAN1:I[64]: 172.31.13.79 -> 178.84.193.195 (TCP) len=64 id=0
TCP: 62340 -> 56789 .S.... seq=1fbd82fb ack=00000000
[vs_0][fw_2] LAN1:o[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14750
TCP: 56789 -> 62339 ..R.A. seq=00000000 ack=5b68c0d3
[vs_0][fw_2] LAN1:O[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14750
TCP: 56789 -> 62339 ..R.A. seq=00000000 ack=5b68c0d3
[vs_0][fw_2] LAN1:o[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14751
TCP: 56789 -> 62340 ..R.A. seq=00000000 ack=1fbd82fc
[vs_0][fw_2] LAN1:O[40]: 178.84.193.195 -> 172.31.13.79 (TCP) len=40 id=14751
TCP: 56789 -> 62340 ..R.A. seq=00000000 ack=1fbd82fc

The logging shows that all translated info is zero. (see attachment)

How can I get this to work?

PhoneBoy · ‎2017-11-27

What was the fw monitor syntax you used to generate the above output?

Robin_Gruyters · ‎2017-11-28

```
fw monitor -e 'host(178.84.193.195), accept;'

```

Robin_Gruyters · ‎2017-11-28

I have also checked with `fw ctl zdebug + drop` if traffic is blocked by the firewall, but nothing came up.

Hugo_vd_Kooij · ‎2017-11-28

Why is there only traffic on LAN1? What other interface is in use where the connection should leave the firewall?

If NAT is applied make sure you don't filter on the NATtes addresses.

You might be missing ICMP traffic here that might tell you what is going on.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Robin_Gruyters · ‎2017-11-28

Because other traffic isn't showing. (cut out)

At the moment of testing no other traffic (as much) is showing. (some DNS, but as much further. no ICMP redirects if you are wondering)

The client (172.31.13.79) needs to connect to the external (WAN) IP, 178.84.193.195, by using a hairpin NAT. The "Force translated traffic to return to the gateway" option on the 1490 indicates that is allowing this, but somehow it doesn't work on my gateway.

Check Point has a SK available for this purpose: How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway

Pedro_Espindola · ‎2017-11-29

The option "Force translated traffic to return to the gateway" might be causing the server to reject the connection for some reason.

Is the 1490 the default gateway of this server? If it is, then try this:

Uncheck "Force translated traffic to return to the gateway"
Create the incoming NAT rule for the required service
Create a return NAT rule src:Server - dst:any - service:<desired-service> - Xlatedsrc:
```
178.84.193.195 - Xlatedst: Original - Xlatedsvc:Original
```

That is all I do and it usually works well. However, this won't work for other hosts in the same network.

Hugo_vd_Kooij · ‎2017-11-29

Can you throw in a drawing? That will help to focus on the right issues.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Are you a member of CheckMates?

Hairpin NAT not working on 1490 with R77.20.70