This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rob_Shears
Contributor
‎2022-04-20 12:24 PM

Is NAT required for a ClusterXL vip outbound?

I just setup a brand new ClusterXL security gateway. eth0 has a WAN facing ip as it's VIP, say X.X.X.X/30. It's a public /30, with the router ahead of me holding 1 of 2 other IPs. so the the non-virtual IPs on that interface are on 172.17.0.0/30.

Just trying to get some basic routing going.

When I ping X.X.X.X from the outside, I see it hit the FW. Be allowed but NAT'ed to 1 of the 172.17.0.0s and no reply is received by the remote end.

 

Outbound, if I ssh into one of the gateways, for starters I cannot ping -I X.X.X.X/30 8.8.8.8. It says cannot assign requested address. Maybe this is expected.

A regular attempt at a ping is also seen on the firewall but get's NAT'ed to the the Cluster VIP of my management network (Y.Y.Y.Y/24). No reply is seen on my end here either.

Both show up as NAT Rule Number 0.

eth0 is defined as the only external in topology

ICMP Requests in Global Properties are checked on.

Surely, NAT isn't required here when its meant for hosts BEHIND the gateway, no?

I feel like I'm missing something.

0 Kudos
11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2022-04-20 12:50 PM

Well, for outbound access, it has to be natted, otherwise, clients wont be able to access the Internet with non-routable IP address. Now, for inbound, you need static NAT. Or am I missing totally whats not working here?

 

Best,
Andy
"Have a great day and if its not, change it"
Rob_Shears
Contributor
‎2022-04-20 03:15 PM
In response to the_rock

This is landing on the CP gateway itself (its WAN address) or in the 2nd ecample, direct from the CP gateway.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-20 02:46 PM

There is an option in the gateway object to hide behind the gateway IP.
Is that checked? 

0 Kudos
Rob_Shears
Contributor
‎2022-04-20 03:16 PM
In response to PhoneBoy

Yes i tried checking it but it made no difference. i also dont understand why NAT would be required from the CP gateway holding the IP in question itself.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-04-20 03:18 PM
In response to Rob_Shears

K...can you please give us an example of EXACTLY what is not working? Either inbound or outbound? Basic network topology/diagram would also help.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Rob_Shears
Contributor
‎2022-04-26 06:27 AM
In response to the_rock

I cannot ping the gateway ClusterXL VIP.

 

Diagram:



Traffic is seen in the firewall log as accepted, but no reply is received:

Rob_Shears_1-1650979388775.png


Output of: fw monitor -e 'accept(src=82.X.X.249 or dst=82.X.X.249);'




Pinging 82.X.X.249 from the security gateway itself using: ping -I eth0 82.X.X.249 DOES work.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-04-26 06:32 AM
In response to Rob_Shears

Just run fw ctl zdebug + drop | grep x.x.x.x on the ssh and see what you get. Replace with proper IP address.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Rob_Shears
Contributor
‎2022-04-26 06:48 AM
In response to the_rock

not seeing any drops for icmp. 

0 Kudos
Rob_Shears
Contributor
‎2022-04-26 08:35 AM
In response to Rob_Shears

Having tried a similar IP scheme with a PFSense Clone - i know it works.

0 Kudos
Rob_Shears
Contributor
‎2022-04-26 09:02 AM
In response to Rob_Shears

Right so now I'm a little confused on how clustering is supposed to work.



This was enough to see some public TCP traffic arriving on the Checkpoint. But I was unable to ping outside-> inside or vice versa. I also saw a change in Gaia's "routing monitor" once this was configured in SmartConsole.

In a dire attempt, I added the 82.x.x8.250/30 to Gaia Web UI as an alias to eth0 on cp-gw-1 and it now appears to be working w/ cp-gw-2 shut down.

But this is a virtual IP in a /30 (meaning only 2 addresses, one of which is my default g/w). How could I possibly assign the same alias to cp-gw-2 w/out them clashing?

0 Kudos
Rob_Shears
Contributor
‎2022-04-26 12:28 PM
In response to Rob_Shears

I'm trying to follow this to the letter now to workaround the issue: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

After setting scopelocal, I can ping the upstream gateway (82.x.x8.249) from internal clients, but can't reach past that. I get "IP routing failed (ipout routing failure)". 

It appears that my default route isn't entering the route table:




Edit: after reading the SK and this thread: https://community.checkpoint.com/t5/Security-Gateways/ClusterXL-Different-Subnet-Configuration/td-p/...

I rebooted and things started working.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events