This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Graham1
Contributor
‎2022-03-07 11:42 AM
Jump to solution

DHCP from ISP (nat issue perhaps)

For a quick background:

At our main building we have a standalone 6700 with static WAN IPs.   I have set up a new 3600 at our branch office, however it is using a DHCP WAN IP.  

When I migrated our ISP from an older CheckPoint 1100 to the new 3600 I noticed L3 traffic was failing.  Pings work fine so I assume L2 is good. 

There is already a TAC case open, but I had a light bulb moment, could this be a NAT issue?

Our 6700 has static NAT (IP based) for internal networks, attached image for reference.  Our 3600 will be using hide NAT for internal networks, however the option "Hide internal networks behind the Gateway's external IP" is disabled.  Not sure if I did this or if it is default setting.

While troubleshooting last week, I noticed none of the logs had any NAT entries.  

I have limited maintenance windows, so having as much information as possible would be really helpful.

Thank you in advance.

Labels
6700-NAT.png
Preview file
17 KB
3600-NAT.png
Preview file
17 KB
3600-global NAT.png
Preview file
12 KB
0 Kudos
1 Solution

Accepted Solutions
Graham1
Contributor
‎2022-03-09 11:33 AM
In response to the_rock
Jump to solution

I spent some time with support and it ended up being a routing issue.
For the default route I had selected the interface point to the ISP.  When this was switched to the ISP gateway, the issue was resolved and the NAT (and nat entries in the logs) worked as expected.

Good to know the default for Hide Nat so thank you both for filling that knowledge gap.

View solution in original post

4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-03-08 04:19 PM
Jump to solution

Was the 1100 also centrally managed, have you compared the config?

The "Hide internal networks behind the Gateway's external IP" option is not enabled by default. 

Typically both methods of enabling NAT aren't used concurrently for a GW but this option can come in handy for DAIP gateways.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2022-03-08 04:55 PM
Jump to solution

As @Chris_Atkinson mentioned, that global hide nat option on gateway is NOT enabled by default. Now, if you prefer to hide nat subnets (networks) on the object, then you can do certainly do so, but the global option will hide all internal networks (hosts) behind external IP of the firewall. If you dont see any nat taking place in the logs for outgoing traffic, to me logically, that would indicate source nat not taking place, so you are definitely pointing in the right direction.

Graham1
Contributor
‎2022-03-09 11:33 AM
In response to the_rock
Jump to solution

I spent some time with support and it ended up being a routing issue.
For the default route I had selected the interface point to the ISP.  When this was switched to the ISP gateway, the issue was resolved and the NAT (and nat entries in the logs) worked as expected.

Good to know the default for Hide Nat so thank you both for filling that knowledge gap.

the_rock
Legend
Legend
‎2022-03-09 11:57 AM
In response to Graham1
Jump to solution

Good deal, tx for the update!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top