This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
Employee Employee
Employee
‎2020-03-11 07:18 AM

NAT hide failure, VSX R80.30 with IP range

I have a case for @Timothy_Hall  🙂

We are running VSX R80.30.

There are 10 CoreXL instances, dynamic NAT (sk103656) and SXL NAT templates (sk71200) enabled by default in R80.30

Up until now we used gateway public IP (so single IP) to hide our traffic going to O365 and everything worked without any issues. Dynamic NAT feature handles "hide NAT, dest IP, proto" limitations perfectly.

Today we decided to change the NAT from single IP to IP range (sk140432). Never mind the reasons, but it still should work and technically make it better as we would have more IPs for hide NAT.

BUT! As the sun came up and people returned to work (despite corona virus), we started getting NAT hide failures in logs:

image.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

We had 20 IPs actually in the IP range. And SK156852 actually says to use port range instead of single IP 🙂 NOT!

image.png

 

 

 

 

The feeling I get with IP range enabled, "dynamic NAT" gets turned off / ignored and gateway returns to static port pools and they would be rather small with 10 FWK cores plus SXL NAT templates enabled.

Any other ideas?

0 Kudos
4 Replies
Wolfgang
Authority
Authority
‎2020-03-19 08:17 AM

@Kaspars_Zibarts 

have a look

"NAT Hide Failure" error in SmartLog / SmartView Tracker "NAT Exhausted Pool" 

Wolfgang

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-03-19 09:12 AM
In response to Wolfgang

well, that was the whole point of my article - SK made it worse 🙂 IP range killed the NAT!
0 Kudos
Timothy_Hall
Champion Champion
Champion
‎2020-03-20 01:53 PM
In response to Kaspars_Zibarts

When doing  a many-to-fewer NAT, the same source IP address will always be assigned to the same address pool for source port allocations via a simple modulus function detailed in sk140432.  Could the fact that your range of 20 addresses is not a power of 2 (2,4,8,16, etc.) somehow have led to suboptimal distribution of source addresses between the 20 pools?  I can't remember ever setting up a many-to-fewer NAT to an address range that was not a power of two for some reason; I don't think it is mandatory but I can't remember why I always did it that way either.  🙂  Worth a try?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-03-21 12:29 AM
In response to Timothy_Hall

Thanks Tim! That's a very good point! I'll see how it works next time as I have ready made NAT stats too to have a quick look!

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/NAT-table-fwx-alloc-top-users/m-p...

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events