This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yeruel
Contributor
‎2025-01-14 05:55 AM
Jump to solution

Web servers with port is not accessible from internet

Hi checkmate,

We have created rules for both NAT and Policy to be accessible from Internet for our website with ports. 

from outside http://bira.gov.et:8040

It is http not https! 

I created rule NAT

1.  Source: any, Destination: public IP (197.156.96.168), original service :8040, destination translation: 172.20.50.107.

Policy rule

2. Source: any, destination: 197.156.96.168, service :8040

 

3. Server didn't have internet access. 

 

How can I solve to accessible the web from Internet users.

0 Kudos
1 Solution

Accepted Solutions
yeruel
Contributor
‎2025-01-14 08:37 PM
In response to the_rock
Jump to solution

Hi Andy,

ARP already done before the issue raised. 

By the way, it works everything after you gave us suggestion for this issue, as you said the traffic from the servers was not coming back. We checked the routing, and finally the internal Cisco firewall was the reason. So we create rule from internal Cisco firewall firewall to pass traffic from servers to checkpoint firewall. Now all websites are working. 

I would like to thank you for your kind assist via zoom link. 

The last remaining is the VPN client routing issue as you knew. 

1. After VPN client connected, their local printing to their home is not working. 

2. After VPN client connected, their own local internet is disconnected. 

I hope I will try to fix it by today and handover it. 

View solution in original post

11 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-01-14 07:41 AM
Jump to solution

Attempting access currently yields a HTTP 502 error rather than a typical unreachable / unresponsive (implying the issue could be elsewhere)?

Regardless double check:

- Hide vs Static NAT

- Translated Service

- Proxy ARP

- Routing

CCSM R77/R80/ELITE
yeruel
Contributor
‎2025-01-14 07:43 AM
In response to Chris_Atkinson
Jump to solution

It is not reachable! Please can youb assist via zoom link. 

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-01-14 08:15 AM
In response to yeruel
Jump to solution

Do you see the traffic in the firewall logs? 

Search for dst:197.156.96.168

If yes, open log entry and see if NAT is working.

If no, tcpdump -nni any host 197.156.96.168 on CLI (active firewall) check if you see arp request there.

who has 197.156.96.168 tell X

If FW does not reply, proxy arp is not in place.

Also cannot resolve domein. 

nslookup bira.gov.et
Server: router.domain_not_set.invalid
*** router.domain_not_set.invalid can't find bira.gov.et: Non-existent domain

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
AlekzNet
Contributor
‎2025-01-14 01:46 PM
In response to Lesley
Jump to solution

Indeed, it's not in DNS...

$ dig @1.1.1.1 bira.gov.et

; <<>> DiG 9.20.0-2ubuntu3-Ubuntu <<>> @1.1.1.1 bira.gov.et
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24783
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bira.gov.et. IN A

;; AUTHORITY SECTION:
gov.et. 3600 IN SOA a.nic.et. postmaster.ethionet.et. 2018158642 600 1800 1209600 3600

;; Query time: 299 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jan 14 22:41:50 CET 2025
;; MSG SIZE rcvd: 102

https://dns.squish.net/

Summary
100% resulted in an error

Results
50.0% No such domain (NXDOMAIN) at a.nic.et (197.156.74.192)
50.0% No such domain (NXDOMAIN) at b.nic.et (197.156.74.193)

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-01-14 01:55 PM
In response to AlekzNet
Jump to solution

Never knew of that command before...learn something new every day 🙂

Thanks @AlekzNet 

👌👍

Best,
Andy
0 Kudos
AlekzNet
Contributor
‎2025-01-14 02:33 PM
In response to the_rock
Jump to solution

Yeah, dig is quite a powerful command, though, usually I still prefer nslookup, even with all those  "set q=a", "set q=ns", "set server ...", etc commands 😄  For all other cases - https://dns.squish.net/

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-01-14 02:36 PM
In response to AlekzNet
Jump to solution

Very good, thank you!!

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-01-14 10:58 AM
In response to yeruel
Jump to solution

Just to update quick, we also checked this issue via remote and even after changing the port to any, fw up_execute shows access is allowed, but still fails. NAT rule appears 100% correct and it does show almost 300 hits. Advised to run fw monitor -F to see what is happening with the packet.

Andy

Best,
Andy
0 Kudos
(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-01-14 11:04 AM
In response to Chris_Atkinson
Jump to solution

@yeruel 

I would double check below sk since @Chris_Atkinson mentioned proxy arp.

Andy

https://support.checkpoint.com/results/sk/sk30197

Best,
Andy
(1)
yeruel
Contributor
‎2025-01-14 08:37 PM
In response to the_rock
Jump to solution

Hi Andy,

ARP already done before the issue raised. 

By the way, it works everything after you gave us suggestion for this issue, as you said the traffic from the servers was not coming back. We checked the routing, and finally the internal Cisco firewall was the reason. So we create rule from internal Cisco firewall firewall to pass traffic from servers to checkpoint firewall. Now all websites are working. 

I would like to thank you for your kind assist via zoom link. 

The last remaining is the VPN client routing issue as you knew. 

1. After VPN client connected, their local printing to their home is not working. 

2. After VPN client connected, their own local internet is disconnected. 

I hope I will try to fix it by today and handover it. 

the_rock
MVP Platinum
MVP Platinum
‎2025-01-14 08:50 PM
In response to yeruel
Jump to solution

Great job!! Lets do another remote early morning my time Wednesday for remote access issue, will message you then.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events