Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antonio_M
Participant

Performing SIC with Mgmt behind NAT

Hello,

I'm unable to perform the initial SIC between a gateway and a management behind a NAT. I went through all the posts regarding this matter without success. 

I've created a dummy object with the NATed IP and created the corresponding NAT rule between the private and NATed IP. The gateway performing the NAT is another Check Point device as well. I've tried with manual static NAT and using the "Add Automatic Address Translation rules" option under the management NAT section without success

The traffic is allowed in the gateway and I see the logs for the returning traffic as allowed and translated as well correctly, but running a tcpdump in the management the traffic does not reach the management, I only see SYN packets and retransmissions. For some reason the traffic is being consumed by the gateway?

Management runs R80.10 and gateway R77.30.

Any ideas?

Thanks in advance.

0 Kudos
6 Replies
HristoGrigorov

Do you have any other device in between NAT gateway and management server ?

0 Kudos
Antonio_M
Participant

No, just the Check Point cluster gateways.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Did you use sk100583: Troubleshooting "SmartCenter behind NAT" issues ? Also, there is the more specialized sk66381: How to configure Management behind NAT in Security Gateway 80 / 1100 / 1400 Appliance setup.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Antonio_M
Participant

Yes, I saw both. I tried creating a dummy host with the NAT IP and then creating a manual static NAT and also configuring the NAT properties on the real management object for the dynamic NAT.

What I don't understand is why in the auto-created NAT rule, the source and traslated IP address are the same, the internal IP. Shouldn't be the translated IP the specified in the "hide behind IP address"? 

Any ideas?

0 Kudos
Maarten_Sjouw
Champion
Champion

What you see in the Automatic NAT rule is the Object of the NATted host, in both Original an Translated column that looks a bit confusing and is one of the reasons why we mostly add the NAT ip in the comment, so that when you hover over the object it will show you both IP's.

Regards, Maarten
0 Kudos
Antonio_M
Participant

When I hover over I see the same IP which is the internal one, not the NATted. 

Really frustating this, can't make it work.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events