Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
skandshus
Advisor
Advisor
Jump to solution

Port redirection not working?

So im having quite some issues regarding opening ports/creating nat rules for when i need to remotely access inside ressources on their default port, but using a different remote port.

 

 

Example down below:

Trying to access a Terminal-Server. where the usual port 3389 is not available. so its due to hit on port 8889 and then be translated to the inside server at port 3389.

When i check the firewall rule, traffic is allowed and i can also see hits, but nothing ever responds when trying to access it "outside"

 

 

0 Kudos
1 Solution

Accepted Solutions
skandshus
Advisor
Advisor

i think ive managed to find the issue.
as soon as i renamed the object with fewer characters it started working

 

 

After renaming the object from 17 Character to a few and pushed policy the NAT rule started working correctly 
thank you for the help everyone 🙂

View solution in original post

12 Replies
the_rock
Legend
Legend

Seems like rule is being hit, if you do fw monitor, do you even see traffic working? Have you tried disabling securexl?

0 Kudos
skandshus
Advisor
Advisor

Since I am still in the learning phase of checkpoint I do not know what secureXL is.. and I see see it’s being hit.. if I do a wire shark capture on the terminal server then nothing arrives at it unless it’s local traffic.. so for some reason my GW isn’t forwarding the traffic..

 

btw what is fw monitor?

0 Kudos
the_rock
Legend
Legend

This would be good place to check on it if you are not familiar, but in essence, its supposed to accelerate the traffic:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

In some cases, it could cause traffic issues, so one way to confirm, would be if you run fwaccel off on the gateways and then test again, no need to push the policy. To turn it back on, just run fwaccel on

0 Kudos
skandshus
Advisor
Advisor

Turning off SecureXL didnt make a difference 😞

0 Kudos
the_rock
Legend
Legend

 Ok, try this...fe ctl zdebug + drop | grep 3389

 

Message me privately, lets do remote later on.

0 Kudos
skandshus
Advisor
Advisor

THANK YOU!!!
Ill fire off the command NOW

0 Kudos
skandshus
Advisor
Advisor

And i've also sent you a private message

0 Kudos
Wolfgang
Authority
Authority

Did you allow both IPs (original and translated destination) in your rule?

Are you aware of the returning packets, they should be NATed to seen external with the external IP. 
And at last, has your terminalserver a route through the gateway to access the external world?

0 Kudos
skandshus
Advisor
Advisor

Hi Wolfgang.
about the retur packet.. would you care to show me an example by using the attached picture i had in the original topic?
I should have nat return though, but i could have made a mistake..
My terminalserver can access the internet perfectly.. and its hidden behind nat

0 Kudos
Wolfgang
Authority
Authority

The shown picture is only a rule for NAT. You have to configure a rule in the network layer to allow the traffic from external to your destination hosts.

0 Kudos
skandshus
Advisor
Advisor

I've attached photos here..
the firewall accept's the traffic, but it just doesnt go any further.

 

if i do a wiresharp capture on the terminal server, no traffic arrives..
but if i try to connect from an internal server to the terminal server, traffic arrives and can be seen on the wireshark capture.

 

 

 

0 Kudos
skandshus
Advisor
Advisor

i think ive managed to find the issue.
as soon as i renamed the object with fewer characters it started working

 

 

After renaming the object from 17 Character to a few and pushed policy the NAT rule started working correctly 
thank you for the help everyone 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events