- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Performing SIC with Mgmt behind NAT
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Performing SIC with Mgmt behind NAT
Hello,
I'm unable to perform the initial SIC between a gateway and a management behind a NAT. I went through all the posts regarding this matter without success.
I've created a dummy object with the NATed IP and created the corresponding NAT rule between the private and NATed IP. The gateway performing the NAT is another Check Point device as well. I've tried with manual static NAT and using the "Add Automatic Address Translation rules" option under the management NAT section without success
The traffic is allowed in the gateway and I see the logs for the returning traffic as allowed and translated as well correctly, but running a tcpdump in the management the traffic does not reach the management, I only see SYN packets and retransmissions. For some reason the traffic is being consumed by the gateway?
Management runs R80.10 and gateway R77.30.
Any ideas?
Thanks in advance.
- Tags:
- gaia
- nat
- r80.10 mgmt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any other device in between NAT gateway and management server ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, just the Check Point cluster gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you use sk100583: Troubleshooting "SmartCenter behind NAT" issues ? Also, there is the more specialized sk66381: How to configure Management behind NAT in Security Gateway 80 / 1100 / 1400 Appliance setup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I saw both. I tried creating a dummy host with the NAT IP and then creating a manual static NAT and also configuring the NAT properties on the real management object for the dynamic NAT.
What I don't understand is why in the auto-created NAT rule, the source and traslated IP address are the same, the internal IP. Shouldn't be the translated IP the specified in the "hide behind IP address"?
Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you see in the Automatic NAT rule is the Object of the NATted host, in both Original an Translated column that looks a bit confusing and is one of the reasons why we mostly add the NAT ip in the comment, so that when you hover over the object it will show you both IP's.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I hover over I see the same IP which is the internal one, not the NATted.
Really frustating this, can't make it work.