- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello,
I'm unable to perform the initial SIC between a gateway and a management behind a NAT. I went through all the posts regarding this matter without success.
I've created a dummy object with the NATed IP and created the corresponding NAT rule between the private and NATed IP. The gateway performing the NAT is another Check Point device as well. I've tried with manual static NAT and using the "Add Automatic Address Translation rules" option under the management NAT section without success
The traffic is allowed in the gateway and I see the logs for the returning traffic as allowed and translated as well correctly, but running a tcpdump in the management the traffic does not reach the management, I only see SYN packets and retransmissions. For some reason the traffic is being consumed by the gateway?
Management runs R80.10 and gateway R77.30.
Any ideas?
Thanks in advance.
Do you have any other device in between NAT gateway and management server ?
No, just the Check Point cluster gateways.
Did you use sk100583: Troubleshooting "SmartCenter behind NAT" issues ? Also, there is the more specialized sk66381: How to configure Management behind NAT in Security Gateway 80 / 1100 / 1400 Appliance setup.
Yes, I saw both. I tried creating a dummy host with the NAT IP and then creating a manual static NAT and also configuring the NAT properties on the real management object for the dynamic NAT.
What I don't understand is why in the auto-created NAT rule, the source and traslated IP address are the same, the internal IP. Shouldn't be the translated IP the specified in the "hide behind IP address"?
Any ideas?
What you see in the Automatic NAT rule is the Object of the NATted host, in both Original an Translated column that looks a bit confusing and is one of the reasons why we mostly add the NAT ip in the comment, so that when you hover over the object it will show you both IP's.
When I hover over I see the same IP which is the internal one, not the NATted.
Really frustating this, can't make it work.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY