Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DekPlent
Collaborator

NAT rules for DMZ object

Hi All,

 

Whilst deploying  pair of Checkpoint 1590 Appliances running R80.20  I noticed some strange behaviour which I have been unable to resolve

 

I am succesfully able to NAt source IPs for remote VPN sources for inbound traffic passing through to internal networks, as well as internal objects destined for remote IPSEC VPN networks but am struggling to NAT a network object defined in the DMZ leg heading inbound to internal networks. Something which I was able to do with R71 without any issue.

 

DMZ 192.168.230.x                                          LAN7 172.17.x.x

----------------------- CHECKPOINT 1590 --------------------JUNIPER---- Router----172.22.x.x

 

So basically I'd like to NAT an object with has an IP of 192.168.230.20 to SNAT 192.168.230.10 when communicating hosts in 172.22

SO I have a manual NAT rule which does exactly that for 172.22.x.x destination . However, what ever I do , the traffic is not NATed if I tcpdump the LAN7 interface. I still see the traffic leave as 192.168.230.20 and not 192.168.230.10.

Additionally if I try to either hide behind the internet interface for outbound traffic with the option to SNAT behind internet Gateway or set a manual NAT for internet access, again this object's source IP is not NAT'ed. SO I was wondering are there any implicit rules or functions that treat traffic on the inbuilt predefined DMZ interface differently perhaps?

I have successfully managed to configure traffic from the internal 172.22.x.x to SNAT behind an IP on the LAN7 range en route to a remote host VPN ...

Is there something simple here that I am missing, are objects in the DMZ managed differently?

For completeness, I will try moving the 192.168.230.0/24 network to a normal LAN port when in the office again tomorrow

 

Thanks again for your assistance

 

regards

Dek

 
 
0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

Is this R80.20.35 build 2577 or other version and is it centrally managed?

CCSM R77/R80/ELITE
0 Kudos
DekPlent
Collaborator

Hi Chris,

It is locally managed and is build 2467. There is a story there too.. One of the two appliances wanted to go to 2577 and the other one would only  see 2467 as the latest build when checking for updates. At the time also, I could only download 2467 as the latest build and so I could not manually upgrade the unit to 2577.

0 Kudos
DekPlent
Collaborator

Hi Chris, I may try build 2577. Are you using this currently?

0 Kudos
the_rock
Legend
Legend

From my knowledge, I don't believe nat rules for DMZ would be any different. If this is centrally managed appliance, you would do it same way in dashboard as before, however, if it is locally managed, its possible it would be a bit different, so you may want to confirm that with TAC smb team. Just curious though, if it is locally managed, what does nat rule you created look like...can you paste the screenshot here?

Andy

0 Kudos
DekPlent
Collaborator

Hi Andy,

I got into the office to find that there was a power outage at the site... Both 1590s are up and NOW the natting is working and there has been no change, which is highly unsatisfactory not knowing why it is now working.

 

I may add another host to see what happens when trying to SNAT again. Thanks for your time and Chris, sorry I have not been able to provide any more insight.

 

Regards

 

Dek

the_rock
Legend
Legend

All good brother...glad it's fixed!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events