- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- LAN NAT address issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LAN NAT address issue
Hi All
Any help on the below please?
Client is running a small network however part of the LAN network goes through a internal gateway device where that portion of that LAN subnet is terminated.
That GW device then NAT's those addresses behind its direct connection it has to the Checkpoint Firewall using a /30 address range
When I look at the FW logs I only see that GW devices IP <10.0.8.2>, the Firewall then also does not apply any of the policies to the devices behind that internal GW
Is there anyway for the Firewall to see that Natted subnet so polices can be applied?
It did initially pick up that subnet as spoofed addresses, however I disabled that in the CLI so now it only see the internal GW address and any devices that are directly connected to the firewall on the WiFi
Device<10.0.2.6 --- GW<10.0.2.1> NAT GW direct connection to fw <10.0.8.2> ---- <10.0.8.1>FW --- WAN fibre breakout
Thank you
Barry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What model exactly is the Check Point gateway in this case?
Since you posted this in the SMB space, we'll assume it's one of the SMB appliances (700/1400/1500/1800).
If the internal gateway is natting the subnet before the Check Point gateway sees it, there's no way to see those addresses unless the gateway does a "proxy" and adds an XFF header.
Even then, that will probably only work for HTTP traffic.
Otherwise, what should happen is the gateway should NOT NAT that subnet and the Check Point gateway should have a route pointing back to that network through that gateway.
This should also resolve the anti-spoofing issue as well, since anti-spoofing configuration is based on the routing table (on SMB appliances).
