This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Enrique
Explorer
‎2020-02-12 09:17 AM

Mobile Access with NAT in the firewall

Hello everyone,

 

After reading so many post here, I decided to join the community and this is my first post. 

 

I'm configuring a Mobile Access  from scratch. The MAP (Mobile Access Portal) is accessible through all interfaces. In the external interface we have private IP address configured, and so the ISP router (let's say 10.0.0.0/24. And .1 is the cluster floating IP, .1 and .2 are the gateway's IPs and .5 is the router). The router just forward all the traffic from a certain public IP address range (let's say 70.0.0.0/29).

 

I would like the MAP be accessible through one of the public IPs (70.0.0.1 for example). I tried several NAT rules to translate the 70.0.0.1 to the floaing IP address of the cluster (10.0.0.1). Also I tried to use the dynamic Object "LocalMachine".

 

From the traffic captures that I performed, I see that:

  • When I access to the floating IP address (https://10.0.0.1/sslvpn), the portal is reachable.
  • When I access to the public IP address (https://70.0.0.1/sslvpn), I see that the firewall is performing the NAT in the incoming traffic, but it is answering with RST packet to every SYN packet that it receive from this connection.

 

Any help?

0 Kudos
2 Replies
Norbert_Bohusch
Advisor
‎2020-02-12 10:46 AM

How are clients behind the gateway reaching the internet? Is the router doing a hide-NAT? If yes, best would be to also let it do the inbound NAT!
0 Kudos
Enrique
Explorer
‎2020-03-04 10:51 AM
In response to Norbert_Bohusch

Hello,
The ISP router is just "routing" the traffic to the firewall. It's the firewalls who are NATing all the traffic.

I found a workaround by configuring the public IP address as loopback in the gateways. This allows the firewall to answer properly to the MAP or other VPNssl connection (VPN capsule or Mobile Client).
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events