Accessing a proxied NAT IP from isolated network

AaronPW · ‎2023-09-13

Hello. We have a setup on the site we are doing the VPN config on that is giving me fits and maybe you can point me in the right direction.

The public VIP of the firewall is 13.211.91.180.

We have an isolated internal network that is on the 172.16.64.0/18 subnet.

Inside that network at 172.16.64.242 is a web server that is publicly accessible via a NAT’d IP of 13.211.91.190 which in the proxy arp table of the gateway and configured via a manual NAT config with access policies.

Externally that website works fine and is fully accessible so the NAT does work.

The issue we have is that we need our testing customers who are also in that 172.16.64.0/18 network to be able to access that website via the public IP. I am not having any luck making this work. The config used to work on a Cisco ASA setup but just not sure what is not working on this.

I don’t see anything being blocked on the firewall when I attempt to access it internally, it just times out.

If I trace out from a host in this isolated network I can hit the internet and the public VIP of the firewall and the wan gateway. But I cannot ping or trace to any of the entries that are setup in the proxy arp table of the firewall. Those traces just die when they hit the VIP of the isolated network on firewall. But traces to others hit that IP, then hit the firewall gateway, then the remote IP they are accessing.

Not sure how to resolve this.

*I've used random IP instead of the actual ones.

Chris_Atkinson · ‎2023-09-13

Look into sk108600 Scenario 3 if not already.

CCSM R77/R80/ELITE

PhoneBoy · ‎2023-09-13

This requires a specific NAT rule to be configured to work correctly.
See: https://community.checkpoint.com/t5/Security-Gateways/Traffic-flow-in-between-C-to-S-via-Firewall-Ho...

AaronPW · ‎2023-09-14

I will check that out thank you. Though it mentions that I need to block connection between the two from the router. On this network all routing is done on the Checkpoint cluster and the internal network and isolated networks all run over L2 switches and their vlan are routed on Checkpoint. Not sure if that is going to change anything. Also all the hosts I'm worried about are going to be on the same network as the web server and they need to access other things in that isolated network. I will read though that article you posted, again thank you.

the_rock · ‎2023-09-14

If its L2 device, then there is really no routing involved, plus, if those hosts are on the same subnet as web server, that further eliminates any need for the routing, as long as they can see correct MAC address.

Andy

AaronPW · ‎2023-09-14

That is what I am not understanding. They can see the .180 IP but the proxy .190 IP they cannot route to, but they can route to the internet.

the_rock · ‎2023-09-14

What does traceroute to non working IP show? Where does it fail?

Andy

AaronPW · ‎2023-09-14

It fails on the VIP for the isolated VLAN on the cluster.

the_rock · ‎2023-09-14

And if you do fw monitor on the fw you see the same?

Andy

Lloyd_Braun · ‎2023-09-14

Pretty good sk here, too How to configure NAT Loopback (Hairpin NAT / NAT Reflection) on Check Point Security Gateway -- Same process described in PB's link. Gotta hide NAT the source IP so reply traffic from the web server goes back through the firewall instead of directly to the client.

AaronPW · ‎2023-09-14

That is nice, with pictures so I don't get confused. I'm really interested in the client #2 to Web Server part so I will dig though that. Thank you.

Are you a member of CheckMates?

Accessing a proxied NAT IP from isolated network