This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
benlef
Explorer
‎2022-06-03 08:22 AM

NAT issue

Hello,


I have an issue with NAT to access to interne service from internet.

I have a server wich run sftp service, it's in the subnet A

I have also a reverseProxy wich is in an other subnet B.

So when query arrive from internet on public ip address, Checkpoint NAT it to the reversproxy, and the reverse proxy forward to the internal server.


But, It doesn't work.
when I check the log, I see pass log from external ip address to my public ip address, it's good for me.

But, I also see a query from external ip address to my serveur sftp (internal) while I just tap public ip address :22, with state "Detect"

I put a pic, bbox.fr(62.....) it's from internet, Ip_nat_176 it's my public ip and sftp_10 it's internal serveur


Have you any ideas to help me ?


Thank you

Preview file
176 KB
0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-06-03 10:20 AM

Can you put a screenshot of the actual nat rule in place?

Andy

Best,
Andy
0 Kudos
benlef
Explorer
‎2022-06-07 12:36 AM
In response to the_rock

Yes of course

the "Kemp" object is reverse proxy

Preview file
41 KB
0 Kudos
Vladimir
Champion
Champion
‎2022-06-03 11:42 AM

What is the content of the Information field of the logs allowing direct connectivity?

It is difficult to tell based on the information you have provided, but I wander if these logs are expected if "X-Forwarded for" is enabled in this policy layer.

benlef
Explorer
‎2022-06-07 01:41 AM
In response to Vladimir

I send you the sreenshots

About X-forwarded , can you tell me if you talk to me about this parameter on screenshot "x-for" please

Preview file
95 KB
Preview file
69 KB
Preview file
79 KB
0 Kudos
Sorin_Gogean
Advisor
‎2022-06-07 04:51 AM

So, I still don't see the problem you are talking about.

The logs show properly what is happening, no errors or smth like that.

The Detect that you see, it comes from IPS, and if it was blocking it, you would see it as Prevent.

 

Also the NAT rule is correct.

 

So you say that with that rule, the SSH session doesn't work or what? What is the error you see.

Had you run some captures on either sides ?

Thank you,

PS:  the "X-Forwarded for" is about  HTTP/S headers, doesn't apply to SSH or SFTP traffic. 

PS2: the Public IP you use is the same with the one on the GW - facing Internet - or is a different IP ? 

0 Kudos
benlef
Explorer
‎2022-06-07 06:45 AM
In response to Sorin_Gogean

the line on state "Detect" shouldn't be happening.

Because I just send request to public IP, then NAT it to the reverse proxy
But, as we can see, I send request to internal server but I don’t know how.

My original request is ok, but I don’t connect to the server  sftp. I have a timeout

PS2: the Public IP you use is the same with the one on the GW - facing Internet - or is a different IP ?
It's two different IP

 

 

0 Kudos
Sorin_Gogean
Advisor
‎2022-06-07 09:26 AM
In response to benlef

"the line on state "Detect" shouldn't be happening." - Initially I was thinking that is because of IPS, and that will happen on every traffic depending on your IPS rules. And like I said, it's a Detect (so it's catching things but allowing them) not a Prevent (this it will catch things and DENY them)  

But in your case, the DETECT is coming from Firewall Blade and it's an Address Spooofing 🙂 

So please check and see that the IP's are set correctly on the interfaces, and you have proper Spoofing set....

Is Internal Destination IP (10.xxxx) part of bond1.912 ?!?!?!?!?!

 

Capture.JPG

 

Ty,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events