This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Firewall_Head
Explorer
Saturday
Jump to solution

Manual DNAT rule is not working

Hi Checkmates,

I have a standalone box on VM, I'm trying to create a DNAT rule for servers that are directly connected to CP box.

#################

Firewall interfaces :

10.10.10.101 -eth0

20.20.20.101- eth2

#################

I have servers behind each of these interfaces, I'm trying to create a DNAT for the web server manually, Below are the steps that I followed.

1>Created a DNAT rule.

2>Created a proxy ARP entry in WebUI.

3>Enabled manual proxy in global config.

4>Installed policy.

Web server 10.10.10.10

Client - 20.20.20.10

##############

Below is the proxy arp o/p from cli

[Expert@CheckPoint_SA:0]# fw ctl arp
(20.20.20.105) at 00-0c-29-12-90-66
[Expert@CheckPoint_SA:0]# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:0C:29:12:90:66
inet addr:20.20.20.101 Bcast:20.20.20.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2854 errors:0 dropped:0 overruns:0 frame:0
TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:265199 (258.9 KiB) TX bytes:10990 (10.7 KiB)

==========

I have attached screenshots for the NAT rule and the access rule .

Can someone please help me figure out what's happening here!

=========

WR,

FH

Preview file
37 KB
Preview file
192 KB
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
Saturday
In response to Firewall_Head
Jump to solution

The proxy-arp mac should match the interface mac from the same subnet.

Yes the traffic must be accepted by the access policy (NAT IP).

If you used NAT on the object itself elements of the policy may appear different by comparison.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
(1)
6 Replies
Chris_Atkinson
Employee Employee
Employee
Saturday
Jump to solution

Is Linux_2 the client and Linux_1 the server?

CCSM R77/R80/ELITE
0 Kudos
Firewall_Head
Explorer
Saturday
In response to Chris_Atkinson
Jump to solution

Yes @Chris_Atkinson .

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Saturday
In response to Firewall_Head
Jump to solution

Can the client learn the arp, any drop logs?

If this is VMware is it configured per sk101214.

CCSM R77/R80/ELITE
0 Kudos
Firewall_Head
Explorer
Saturday
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson ,

If you take a look at my proxy ARP output, the MAC of eth2 and the NAT IP are the same. Is this expected ?

Also I'm seeing drops for the traffic initiated to the NAT IP , it is matched by cleanup rule. I'm a little confused here, I have used the real IP in access control policy , can it be the reason.

=====

WR,

FH

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Saturday
In response to Firewall_Head
Jump to solution

The proxy-arp mac should match the interface mac from the same subnet.

Yes the traffic must be accepted by the access policy (NAT IP).

If you used NAT on the object itself elements of the policy may appear different by comparison.

CCSM R77/R80/ELITE
0 Kudos
(1)
Firewall_Head
Explorer
Saturday
In response to Chris_Atkinson
Jump to solution

Thanks @Chris_Atkinson , it's working now.

Have a great day!

=======

WR

FH

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events