Solved: Re: Port redirection not working?

skandshus · ‎2021-05-27

So im having quite some issues regarding opening ports/creating nat rules for when i need to remotely access inside ressources on their default port, but using a different remote port.

Example down below:

Trying to access a Terminal-Server. where the usual port 3389 is not available. so its due to hit on port 8889 and then be translated to the inside server at port 3389.

When i check the firewall rule, traffic is allowed and i can also see hits, but nothing ever responds when trying to access it "outside"

skandshus · ‎2021-05-27

i think ive managed to find the issue.
as soon as i renamed the object with fewer characters it started working

After renaming the object from 17 Character to a few and pushed policy the NAT rule started working correctly
thank you for the help everyone 🙂

View solution in original post

the_rock · ‎2021-05-27

Seems like rule is being hit, if you do fw monitor, do you even see traffic working? Have you tried disabling securexl?

skandshus · ‎2021-05-27

Since I am still in the learning phase of checkpoint I do not know what secureXL is.. and I see see it’s being hit.. if I do a wire shark capture on the terminal server then nothing arrives at it unless it’s local traffic.. so for some reason my GW isn’t forwarding the traffic..

btw what is fw monitor?

the_rock · ‎2021-05-27

This would be good place to check on it if you are not familiar, but in essence, its supposed to accelerate the traffic:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

In some cases, it could cause traffic issues, so one way to confirm, would be if you run fwaccel off on the gateways and then test again, no need to push the policy. To turn it back on, just run fwaccel on

skandshus · ‎2021-05-27

Turning off SecureXL didnt make a difference 😞

the_rock · ‎2021-05-27

Ok, try this...fe ctl zdebug + drop | grep 3389

Message me privately, lets do remote later on.

skandshus · ‎2021-05-27

THANK YOU!!!
Ill fire off the command NOW

skandshus · ‎2021-05-27

And i've also sent you a private message

Wolfgang · ‎2021-05-27

Did you allow both IPs (original and translated destination) in your rule?

Are you aware of the returning packets, they should be NATed to seen external with the external IP.
And at last, has your terminalserver a route through the gateway to access the external world?

skandshus · ‎2021-05-27

Hi Wolfgang.
about the retur packet.. would you care to show me an example by using the attached picture i had in the original topic?
I should have nat return though, but i could have made a mistake..
My terminalserver can access the internet perfectly.. and its hidden behind nat

Wolfgang · ‎2021-05-27

The shown picture is only a rule for NAT. You have to configure a rule in the network layer to allow the traffic from external to your destination hosts.

skandshus · ‎2021-05-27

I've attached photos here..
the firewall accept's the traffic, but it just doesnt go any further.

if i do a wiresharp capture on the terminal server, no traffic arrives..
but if i try to connect from an internal server to the terminal server, traffic arrives and can be seen on the wireshark capture.

skandshus · ‎2021-05-27

i think ive managed to find the issue.
as soon as i renamed the object with fewer characters it started working

After renaming the object from 17 Character to a few and pushed policy the NAT rule started working correctly
thank you for the help everyone 🙂

Are you a member of CheckMates?

Port redirection not working?