This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VTO
Participant
‎2019-10-26 06:30 AM
Jump to solution

NAT and VPN Site-to-site with a managed SMB

We recently got the 1200R SMB that is managed by the management server.  We want to use the SMB to connect the remote site with the headend Check Point open server at the data center.

We ran into the issue that the vendor host cannot talk to the remote server 2 by the NATed IP (10.5.4.22).  However, I can ping from the remote server 2 (172.22.1.1) to the vendor host (198.211.48.97).  The vendor host can talk to LAN server 1 (10.5.4.21) without any issue.

I think there is an issue to NAT and VPN egress out to the remote site on the same Check Point FW.

I am not sure if I can remove the NAT and have the vendor host talks directly to the remote server 2 IP (172.22.1.1).

Can someone help me figure out what is the problem?

CheckPoint_NAT&VPN_Site-to-site_v1.jpg

0 Kudos
1 Solution

Accepted Solutions
VTO
Participant
‎2019-10-28 11:07 PM
Jump to solution

Finally, I was able to resolve the issue with tech support.  It appeared the NATed address (10.5.4.22) for the remote server 2 is required to be part of the VPN domain on the remote Check Point SMB.  In addition, the "Disable NAT inside the VPN community" must be unchecked in order to allow the NAT traffic reaching the destination IP.

View solution in original post

0 Kudos
12 Replies
Nick_Doropoulos
Advisor
‎2019-10-26 10:45 AM
Jump to solution

Hi there,

To be able to assist you fully, could you please answer the following questions:

1) Is there a firewall rule on the Check Point Open Server that allows the vendor host to initiate traffic?

2) Have you ruled out that there are no issues with the intermediary routers before the open server (by running a traceroute or pathping)?

3) What type of traffic have you attempted to send from the vendor host to the remote server 2?

4) What do the logs show? Could you attach a couple of screenshots?

5) Is NAT disabled on the VPN or not?

6) Can the vendor host communicate with any other nodes behind the SMB gateway?

Thanks.

VTO
Participant
‎2019-10-26 01:25 PM
In response to Nick_Doropoulos
Jump to solution

Here are the answers:
1) Yes, firewall rule allows 198.211.48.0/24 from vendor
2) Yes, I saw traffic from Src:198.211.48.97 Dst: 10.5.4.22 XlateDst: 172.22.1.1 Origin: Check Point open server
3) It's TCP traffic on high port, say 2020; but doing ping ICMP traffic during the troubleshooting.
4) The log show Accepted on rule XXX and the content is listed on answer #2 above. I can do screenshots but I renamed all the IP info, so it may not too helpful.
5) In the Star Community object "Vendor-Remote", the "Disable NAT inside the VPN community" checkbox is checked
6) No, the vendor host traffic cannot reach anything on the SMB side
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-27 01:20 AM
In response to VTO
Jump to solution

Is client side NAT enabled?
Do you see an ARP for the NATted server? fw ctl arp
When you check the logs do you see the NAT being executed? Add the XLATED source and dest columns to your tracker view
do you have the source network in the local VPN domain of your open server gateway?
Do you use automatic NAT? (added the NAT IP on the object of that remote server?)
Regards, Maarten
0 Kudos
VTO
Participant
‎2019-10-28 02:10 AM
In response to Maarten_Sjouw
Jump to solution

Yes to all the questions except the below question.

> Do you use automatic NAT? (added the NAT IP on the object of that remote server?) 

No.  I created a manual NAT.  But since you asked, I just added the auto NAT 10.5.4.22 for the remote server 172.22.1.1. 

I can currently ping from the remote server to the vendor host, I assume the manual NAT is working fine.  I do know v77.30 has the NAT issue that requires adding the auto NAT prior to the manual NAT in order to make it functional.

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-28 02:21 AM
In response to VTO
Jump to solution

When you use Manual NAT with R77.30 you need to create a proxy arp, that part is done automatically when you use Automatic NAT, therefore it works when you add this NAT IP to the object.
VPN Domain, ok that is how it should be.

Be aware that when you add proxy arp entries, you need to make sure in the Global Properties the setting to add the local.arp entries is ticked. After adding proxy arp entries, do not forget to push policy, as they will only be activated after a policy push.
Regards, Maarten
0 Kudos
VTO
Participant
‎2019-10-28 02:40 AM
In response to Maarten_Sjouw
Jump to solution

Yes, I have the Proxy ARP setup for both 10.5.4.21 and 10.5.4.22.  Is there a way to check the local.arp?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-28 02:44 AM
In response to VTO
Jump to solution

fw ctl arp
That is the command to see which Proxy ARP's are available.
PS. the best command for theProxy ARP is:
add arp proxy ipv4-address 123.123.123.121 macaddress 00:1c:7f:11:22:33 real-ip 123.123.123.123
Regards, Maarten
VTO
Participant
‎2019-10-28 02:52 AM
In response to Maarten_Sjouw
Jump to solution

ok, I already ran fw ctl arp and saw the entry for 10.5.4.22

What do you think the issue is about?  I only have the one-way traffic from remote server 2 to the vendor host.

0 Kudos
VTO
Participant
‎2019-10-28 02:14 AM
In response to Maarten_Sjouw
Jump to solution

do you have the source network in the local VPN domain of your open server gateway?

Just to clarify for the above question, the source network of the vendor host subnet 198.211.48.0/24  is in the local VPN domain of the open server gateway as shown in the picture.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-10-28 03:15 AM
In response to VTO
Jump to solution

I would involve TAC here - they could possibly resolve this issue in a short RAS...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
VTO
Participant
‎2019-10-28 07:38 AM
In response to G_W_Albrecht
Jump to solution

I already opened a case without a resolution.  I hope we have more brains here for inputs and suggestions to figure out what’s the issue. Thanks!

0 Kudos
VTO
Participant
‎2019-10-28 11:07 PM
Jump to solution

Finally, I was able to resolve the issue with tech support.  It appeared the NATed address (10.5.4.22) for the remote server 2 is required to be part of the VPN domain on the remote Check Point SMB.  In addition, the "Disable NAT inside the VPN community" must be unchecked in order to allow the NAT traffic reaching the destination IP.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top