This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
H2-F1
Participant
‎2020-07-07 06:54 AM

NAT Source Port manipulation

Hello Checkmates

 

I'm currently dealing with an issue for a client and need some guidance from the community.

 

I have attached a diagram showing the traffic flow. which I have summarised below:

The client establishes a site to site VPN from their location C to their location A. All traffic flows through a Checkpoint Firewall running R80.x (think of it like we are their ISP), at the point of exit we NAT the traffic from their source IP (C) to ours (B) as well as change the source port number to Y.

 

The issue is that when the VPN fails for any reason and reestablishes, it is renatted to a different source Port (Z) which is seen as a new tunnel at the destination and this breaks the clients communication as all comms should remain on the original port (Y). 

The question: Is there a way to set a NAT or anything else on the firewall that woud say, if traffic is sourced from IP address C then use permanently source port Y. I suspect that I would also have to put some sort of reservation on that port so that it is not used. but I'm not sure that this is possible.

 

Any insights/thoughts would be appreciated.

 

Thanks

 

 

Preview file
168 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-07-08 04:17 PM

Unfortunately, the diagram doesn't really clarify the situation at all.

Is Site C terminating VPN on Site B or only going through Site B to terminate on Site A?
Also, are you doing a static NAT or a hide NAT?
Because a static NAT would not change the source port at all from what the client specifies.
When you are doing a hide NAT, you have zero control over the source port and can't specify/change it to suit your desires.
0 Kudos
H2-F1
Participant
‎2020-07-10 04:01 AM
In response to PhoneBoy

Hi Dameon

the VPN is initiated by Site C goes through Site B where it is natted (Hide NAT) and terminates on Site A. Based on the information you provided we would need to change the nat to a static NAT.

Would you know if there is a way to do a dynamic nat pool, the address wouldn't be a 1-to-1 but for that session + x Hours it wouldn't change (like a DHCP lease), if the session drops for more than an hour it'll pick up the same public IP again when it reconnects.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-10 11:05 AM
In response to H2-F1

There is IP Pool NAT available, but I don't think the timeout is adjustable and, offhand, not sure what the timeout is.
Enable it in Global Properties:

Screen Shot 2020-07-10 at 11.02.20 AM.png

Then you can change the settings in the relevant gateway object: 

Screen Shot 2020-07-10 at 11.03.21 AM.png

See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
H2-F1
Participant
‎2020-07-10 11:17 AM
In response to PhoneBoy

Excellent,

The article you referred shows that the IP NAT Pool timer is configurable. I will give this a try and let you know how we get on.

IP-NAT-Pool.PNG

Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events