This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DekPlent
Collaborator
‎2022-02-02 03:47 PM

NAT rules for DMZ object

Hi All,

 

Whilst deploying  pair of Checkpoint 1590 Appliances running R80.20  I noticed some strange behaviour which I have been unable to resolve

 

I am succesfully able to NAt source IPs for remote VPN sources for inbound traffic passing through to internal networks, as well as internal objects destined for remote IPSEC VPN networks but am struggling to NAT a network object defined in the DMZ leg heading inbound to internal networks. Something which I was able to do with R71 without any issue.

 

DMZ 192.168.230.x                                          LAN7 172.17.x.x

----------------------- CHECKPOINT 1590 --------------------JUNIPER---- Router----172.22.x.x

 

So basically I'd like to NAT an object with has an IP of 192.168.230.20 to SNAT 192.168.230.10 when communicating hosts in 172.22

SO I have a manual NAT rule which does exactly that for 172.22.x.x destination . However, what ever I do , the traffic is not NATed if I tcpdump the LAN7 interface. I still see the traffic leave as 192.168.230.20 and not 192.168.230.10.

Additionally if I try to either hide behind the internet interface for outbound traffic with the option to SNAT behind internet Gateway or set a manual NAT for internet access, again this object's source IP is not NAT'ed. SO I was wondering are there any implicit rules or functions that treat traffic on the inbuilt predefined DMZ interface differently perhaps?

I have successfully managed to configure traffic from the internal 172.22.x.x to SNAT behind an IP on the LAN7 range en route to a remote host VPN ...

Is there something simple here that I am missing, are objects in the DMZ managed differently?

For completeness, I will try moving the 192.168.230.0/24 network to a normal LAN port when in the office again tomorrow

 

Thanks again for your assistance

 

regards

Dek

 
 
0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-02-02 03:51 PM

Is this R80.20.35 build 2577 or other version and is it centrally managed?

CCSM R77/R80/ELITE
0 Kudos
DekPlent
Collaborator
‎2022-02-03 12:53 AM
In response to Chris_Atkinson

Hi Chris,

It is locally managed and is build 2467. There is a story there too.. One of the two appliances wanted to go to 2577 and the other one would only  see 2467 as the latest build when checking for updates. At the time also, I could only download 2467 as the latest build and so I could not manually upgrade the unit to 2577.

0 Kudos
DekPlent
Collaborator
‎2022-02-03 03:18 PM
In response to Chris_Atkinson

Hi Chris, I may try build 2577. Are you using this currently?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-02-02 05:27 PM

From my knowledge, I don't believe nat rules for DMZ would be any different. If this is centrally managed appliance, you would do it same way in dashboard as before, however, if it is locally managed, its possible it would be a bit different, so you may want to confirm that with TAC smb team. Just curious though, if it is locally managed, what does nat rule you created look like...can you paste the screenshot here?

Andy

Best,
Andy
0 Kudos
DekPlent
Collaborator
‎2022-02-03 09:42 AM
In response to the_rock

Hi Andy,

I got into the office to find that there was a power outage at the site... Both 1590s are up and NOW the natting is working and there has been no change, which is highly unsatisfactory not knowing why it is now working.

 

I may add another host to see what happens when trying to SNAT again. Thanks for your time and Chris, sorry I have not been able to provide any more insight.

 

Regards

 

Dek

the_rock
MVP Platinum
MVP Platinum
‎2022-02-03 03:56 PM
In response to DekPlent

All good brother...glad it's fixed!

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events