This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Antonio_M
Participant
‎2019-02-04 01:54 PM

Performing SIC with Mgmt behind NAT

Hello,

I'm unable to perform the initial SIC between a gateway and a management behind a NAT. I went through all the posts regarding this matter without success. 

I've created a dummy object with the NATed IP and created the corresponding NAT rule between the private and NATed IP. The gateway performing the NAT is another Check Point device as well. I've tried with manual static NAT and using the "Add Automatic Address Translation rules" option under the management NAT section without success

The traffic is allowed in the gateway and I see the logs for the returning traffic as allowed and translated as well correctly, but running a tcpdump in the management the traffic does not reach the management, I only see SYN packets and retransmissions. For some reason the traffic is being consumed by the gateway?

Management runs R80.10 and gateway R77.30.

Any ideas?

Thanks in advance.

0 Kudos
Reply
6 Replies
HristoGrigorov
Mentor
Mentor
‎2019-02-04 10:16 PM

Do you have any other device in between NAT gateway and management server ?

0 Kudos
Reply
Antonio_M
Participant
‎2019-02-05 12:10 PM
In response to HristoGrigorov

No, just the Check Point cluster gateways.

0 Kudos
Reply
G_W_Albrecht
Champion
Champion
‎2019-02-05 04:09 AM

Did you use sk100583: Troubleshooting "SmartCenter behind NAT" issues ? Also, there is the more specialized sk66381: How to configure Management behind NAT in Security Gateway 80 / 1100 / 1400 Appliance setup.

0 Kudos
Reply
Antonio_M
Participant
‎2019-02-05 12:14 PM
In response to G_W_Albrecht

Yes, I saw both. I tried creating a dummy host with the NAT IP and then creating a manual static NAT and also configuring the NAT properties on the real management object for the dynamic NAT.

What I don't understand is why in the auto-created NAT rule, the source and traslated IP address are the same, the internal IP. Shouldn't be the translated IP the specified in the "hide behind IP address"? 

Any ideas?

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2019-02-05 01:41 PM
In response to Antonio_M

What you see in the Automatic NAT rule is the Object of the NATted host, in both Original an Translated column that looks a bit confusing and is one of the reasons why we mostly add the NAT ip in the comment, so that when you hover over the object it will show you both IP's.

Regards, Maarten
0 Kudos
Reply
Antonio_M
Participant
‎2019-02-06 11:18 AM
In response to Maarten_Sjouw

When I hover over I see the same IP which is the internal one, not the NATted. 

Really frustating this, can't make it work.

Reply