Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CarlosDias
Contributor

DNS NAT - sk34295

Hi,

I need the feature DNS NAT described on sk34295.

Configured it, but seems not to work.

I am running R81.10

How can I debug the cause?

Regards

0 Kudos
11 Replies
the_rock
Legend
Legend

Latest version listed there is R81. You may want to confirm with TAC if same is applicable in R81.10

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin

No reason it shouldn't work in R81.10.
We need to find out more about the configuration you've attempted with a simple network diagram.

0 Kudos
CarlosDias
Contributor

Hi,

Network diagram is very easy.

There is an internal network that goes to internet vi a checkpoint firewall

This network has an internal DNS server and serveral other servers that go to internet by a NAT address configured on the checkpoint.

Customer also has some users on the internet that resolve on this internal DNS, for the internal hosts.

We used this sk but the dns lookup still returns the internal addresses.

Regards

0 Kudos
_Val_
Admin
Admin

In your described scenario, you do not need sk34295. You need your internal DNS server to be available on internet, which means simple host or port address translation rule, depending on whether or not you have a spare IP address. Then, your your users should define that external IP address as their primary DNS server. 

0 Kudos
CarlosDias
Contributor

Hi,

The internal DNS is available from internet. It has a NAT address on the FW and the external users use this address. 

But that is not the question.

This DNS also resolves internal servers for internal addresses. This servers also have a NAT address on the FW.

The problem is that external users when resolving the names of this servers, receive the internal address which is useless.

What we need it that checkpoint understands that it must translate the response to the NAT addresses, so that external users could access this internal servers.

0 Kudos
the_rock
Legend
Legend

You may want to open TAC case for this.

0 Kudos
Lloyd_Braun
Collaborator

The way I am reading this, and the way NAT rules are typically configured, the fw is looking for a public IP DNS response to translate to the internal IP address (original IP). You may be able to make this work with a "dummy" NAT rule configured in the other direction, but I am not saying that is a great idea. 

 

the NAT DNS payload requires static NAT rules in which the DNS response that needs to be translated is set as the original destination, and the requested translation for it is the translated destination.

0 Kudos
CarlosDias
Contributor

Hi,

I already configured the static NAT rules as requested by the sk.

Does not work

0 Kudos
Lloyd_Braun
Collaborator

The way I am reading that SK, it is describing a scenario where DNS resolves records to the public IP and the firewall changes DNS payload to the internal IP. So you have a different use case, wanting to NAT DNS payload from private to public IP. You could put a test DNS record in with the public IP to see if that DNS rewrite mechanism is working in the other direction. (rewriting original destination IP to xlate destination IP as opposed to xlated destination IP to original destination IP)

0 Kudos
CarlosDias
Contributor

Hi,

Well on the sk there is writen:

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

So I imagined this sk assumes the DNS is internal, and ouside users authorized to resolved on this DNS internal server, should have the dns payload changed to the ips of the NAT rules,

But I may be wrong.

This is how other manufactures do !!!

the_rock
Legend
Legend

All valid points...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events