This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronPW
Contributor
‎2023-09-13 05:38 PM

Accessing a proxied NAT IP from isolated network

Hello.  We have a setup on the site we are doing the VPN config on that is giving me fits and maybe you can point me in the right direction. 

The public VIP of the firewall is 13.211.91.180. 

We have an isolated internal network that is on the 172.16.64.0/18 subnet.

Inside that network at 172.16.64.242 is a web server that is publicly accessible via a NAT’d IP of 13.211.91.190 which in the proxy arp table of the gateway and configured via a manual NAT config with access policies.

Externally that website works fine and is fully accessible so the NAT does work. 

The issue we have is that we need our testing customers who are also in that 172.16.64.0/18 network to be able to access that website via the public IP.  I am not having any luck making this work.  The config used to work on a Cisco ASA setup but just not sure what is not working on this.  

I don’t see anything being blocked on the firewall when I attempt to access it internally, it just times out.

If I trace out from a host in this isolated network I can hit the internet and the public VIP of the firewall and the wan gateway.  But I cannot ping or trace to any of the entries that are setup in the proxy arp table of the firewall.  Those traces just die when they hit the VIP of the isolated network on firewall.  But traces to others hit that IP, then hit the firewall gateway, then the remote IP they are accessing.  

Not sure how to resolve this.

*I've used random IP instead of the actual ones. 

Labels
0 Kudos
10 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-09-13 06:26 PM

Look into sk108600 Scenario 3 if not already.

 

 

CCSM R77/R80/ELITE
PhoneBoy
Admin
Admin
‎2023-09-13 09:26 PM

This requires a specific NAT rule to be configured to work correctly.
See: https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-Ho...

 

AaronPW
Contributor
‎2023-09-14 08:42 AM
In response to PhoneBoy

I will check that out thank you.  Though it mentions that I need to block connection between the two from the router.  On this network all routing is done on the Checkpoint cluster and the internal network and isolated networks all run over L2 switches and their vlan are routed on Checkpoint.  Not sure if that is going to change anything.  Also all the hosts I'm worried about are going to be on the same network as the web server and they need to access other things in that isolated network.  I will read though that article you posted, again thank you. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-14 08:52 AM
In response to AaronPW

If its L2 device, then there is really no routing involved, plus, if those hosts are on the same subnet as web server, that further eliminates any need for the routing, as long as they can see correct MAC address.

Andy

0 Kudos
AaronPW
Contributor
‎2023-09-14 10:01 AM
In response to the_rock

That is what I am not understanding. They can see the .180 IP but the proxy .190 IP they cannot route to, but they can route to the internet. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-14 10:22 AM
In response to AaronPW

What does traceroute to non working IP show? Where does it fail?

Andy

0 Kudos
AaronPW
Contributor
‎2023-09-14 02:23 PM
In response to the_rock

It fails on the VIP for the isolated VLAN on the cluster. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-14 02:31 PM
In response to AaronPW

And if you do fw monitor on the fw you see the same?

Andy

0 Kudos
Lloyd_Braun
Collaborator
‎2023-09-14 10:48 AM
In response to AaronPW

Pretty good sk here, too How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway  -- Same process described in PB's link.  Gotta hide NAT the source IP so reply traffic from the web server goes back through the firewall instead of directly to the client.

AaronPW
Contributor
‎2023-09-14 02:23 PM
In response to Lloyd_Braun

That is nice, with pictures so I don't get confused.  I'm really interested in the client #2 to Web Server part so I will dig though that.  Thank you. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top