Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Graham1
Contributor
Jump to solution

DHCP from ISP (nat issue perhaps)

For a quick background:

At our main building we have a standalone 6700 with static WAN IPs.   I have set up a new 3600 at our branch office, however it is using a DHCP WAN IP.  

When I migrated our ISP from an older CheckPoint 1100 to the new 3600 I noticed L3 traffic was failing.  Pings work fine so I assume L2 is good. 

There is already a TAC case open, but I had a light bulb moment, could this be a NAT issue?

Our 6700 has static NAT (IP based) for internal networks, attached image for reference.  Our 3600 will be using hide NAT for internal networks, however the option "Hide internal networks behind the Gateway's external IP" is disabled.  Not sure if I did this or if it is default setting.

While troubleshooting last week, I noticed none of the logs had any NAT entries.  

I have limited maintenance windows, so having as much information as possible would be really helpful.

Thank you in advance.

0 Kudos
1 Solution

Accepted Solutions
Graham1
Contributor

I spent some time with support and it ended up being a routing issue.
For the default route I had selected the interface point to the ISP.  When this was switched to the ISP gateway, the issue was resolved and the NAT (and nat entries in the logs) worked as expected.

Good to know the default for Hide Nat so thank you both for filling that knowledge gap.

View solution in original post

4 Replies
Chris_Atkinson
Employee Employee
Employee

Was the 1100 also centrally managed, have you compared the config?

The "Hide internal networks behind the Gateway's external IP" option is not enabled by default. 

Typically both methods of enabling NAT aren't used concurrently for a GW but this option can come in handy for DAIP gateways.

CCSM R77/R80/ELITE
the_rock
Legend
Legend

As @Chris_Atkinson mentioned, that global hide nat option on gateway is NOT enabled by default. Now, if you prefer to hide nat subnets (networks) on the object, then you can do certainly do so, but the global option will hide all internal networks (hosts) behind external IP of the firewall. If you dont see any nat taking place in the logs for outgoing traffic, to me logically, that would indicate source nat not taking place, so you are definitely pointing in the right direction.

Graham1
Contributor

I spent some time with support and it ended up being a routing issue.
For the default route I had selected the interface point to the ISP.  When this was switched to the ISP gateway, the issue was resolved and the NAT (and nat entries in the logs) worked as expected.

Good to know the default for Hide Nat so thank you both for filling that knowledge gap.

the_rock
Legend
Legend

Good deal, tx for the update!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events