This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CarlosDias
Contributor
‎2024-02-12 06:21 AM

DNS NAT - sk34295

Hi,

I need the feature DNS NAT described on sk34295.

Configured it, but seems not to work.

I am running R81.10

How can I debug the cause?

Regards

0 Kudos
11 Replies
the_rock
Legend
Legend
‎2024-02-12 06:46 AM

Latest version listed there is R81. You may want to confirm with TAC if same is applicable in R81.10

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-13 10:27 AM
In response to the_rock

No reason it shouldn't work in R81.10.
We need to find out more about the configuration you've attempted with a simple network diagram.

0 Kudos
CarlosDias
Contributor
‎2024-02-14 01:08 AM
In response to PhoneBoy

Hi,

Network diagram is very easy.

There is an internal network that goes to internet vi a checkpoint firewall

This network has an internal DNS server and serveral other servers that go to internet by a NAT address configured on the checkpoint.

Customer also has some users on the internet that resolve on this internal DNS, for the internal hosts.

We used this sk but the dns lookup still returns the internal addresses.

Regards

0 Kudos
_Val_
Admin
Admin
‎2024-02-14 01:15 AM
In response to CarlosDias

In your described scenario, you do not need sk34295. You need your internal DNS server to be available on internet, which means simple host or port address translation rule, depending on whether or not you have a spare IP address. Then, your your users should define that external IP address as their primary DNS server. 

0 Kudos
CarlosDias
Contributor
‎2024-02-14 01:43 AM
In response to _Val_

Hi,

The internal DNS is available from internet. It has a NAT address on the FW and the external users use this address. 

But that is not the question.

This DNS also resolves internal servers for internal addresses. This servers also have a NAT address on the FW.

The problem is that external users when resolving the names of this servers, receive the internal address which is useless.

What we need it that checkpoint understands that it must translate the response to the NAT addresses, so that external users could access this internal servers.

0 Kudos
the_rock
Legend
Legend
‎2024-02-14 04:19 AM
In response to CarlosDias

You may want to open TAC case for this.

0 Kudos
Lloyd_Braun
Collaborator
‎2024-02-14 10:50 AM
In response to CarlosDias

The way I am reading this, and the way NAT rules are typically configured, the fw is looking for a public IP DNS response to translate to the internal IP address (original IP). You may be able to make this work with a "dummy" NAT rule configured in the other direction, but I am not saying that is a great idea. 

 

the NAT DNS payload requires static NAT rules in which the DNS response that needs to be translated is set as the original destination, and the requested translation for it is the translated destination.

0 Kudos
CarlosDias
Contributor
‎2024-02-14 12:24 PM
In response to Lloyd_Braun

Hi,

I already configured the static NAT rules as requested by the sk.

Does not work

0 Kudos
Lloyd_Braun
Collaborator
‎2024-02-15 07:54 AM
In response to CarlosDias

The way I am reading that SK, it is describing a scenario where DNS resolves records to the public IP and the firewall changes DNS payload to the internal IP. So you have a different use case, wanting to NAT DNS payload from private to public IP. You could put a test DNS record in with the public IP to see if that DNS rewrite mechanism is working in the other direction. (rewriting original destination IP to xlate destination IP as opposed to xlated destination IP to original destination IP)

0 Kudos
CarlosDias
Contributor
‎2024-02-15 08:05 AM
In response to Lloyd_Braun

Hi,

Well on the sk there is writen:

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

So I imagined this sk assumes the DNS is internal, and ouside users authorized to resolved on this DNS internal server, should have the dns payload changed to the ips of the NAT rules,

But I may be wrong.

This is how other manufactures do !!!

the_rock
Legend
Legend
‎2024-02-15 03:21 PM
In response to Lloyd_Braun

All valid points...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events