This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2022-07-03 06:43 AM
Jump to solution

Can someone please clear my doubts about CP Network?

Hi Team,

We are planning to use a topology given below.

I am planning to use Check Point default gateway as 1.2.3.5 which is LB. Server 10.10.10.30 is statically manually natted with 1.2.3.7

Proxy ARP added on firewall.

From Check Point perspective I wanted to understand the routing part in the below scenario

  • Lets support Traffic is initiated from Internet for host 1.2.3.7 for Port 443
  • It would reach router R1
  • It would Broadcast for ARP. Check Point would send gratuitous ARP
  • Traffic will then be forwarded to 1.2.3.6
  • Traffic will be natted and send out to 10.10.10.30
  • Now while returning from 10.10.10.30

Once it reached to Check Point

  • Does firewall refer to the routing table for destination ANY (Since the packet was originated from Source ANY) and will it be routed to 1.2.3.5; causing asynchronous routing

OR

  • Since the firewall already has connection table entry and it knows it arrived from eth0 from 1.2.3.4; will it be routed back to 1.2.3.4?

My strong feeling is it would definitely be sent it back to 1.2.3.4 since routing is not stateful and I would need to add PBR on CP for source IP

Please advise?

scenario1.jpg

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Blason_R
Leader
Leader
‎2022-07-29 08:29 PM
In response to Paul_Kazzi
Jump to solution

I was right as it would definitely refers the route.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-07-03 09:27 PM
Jump to solution

Please clarify the diagram further by specifying subnet masks and is the LB itself performing any NAT?

Generally the most specific route will be followed.

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader
‎2022-07-03 10:50 PM
In response to Chris_Atkinson
Jump to solution

You can consider those all are in same network. Lets say /27

Nope Static nat will be configured on Check Point. So that Incoming traffic for Application server will be natted on Check Point firewall and will be forwarded to the server. While Outbound traffic from hosts which is a hide nat will be configured on LB. So the default gateway for Check Point is LB.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-07-03 10:58 PM
In response to Blason_R
Jump to solution

Remember connected/specific routes are preferred over the default, so the source you mention probably will have a different behavior in this case if it's part of a /27.

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader
‎2022-07-03 11:02 PM
In response to Chris_Atkinson
Jump to solution

Yes that I agree and in this scenario - There are no specific routes. I agree least routes will match first and before that even PBRs are matched. However in this scenario; no specific routes are added and only a default gateway is pointed to LB. I am wondering if reverse traffic for statically natted IPs which is a part of established session will it be routed to LB or Router since it know that traffic is received from R1 through eth0

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Paul_Kazzi
Participant
‎2022-07-04 06:57 PM
In response to Blason_R
Jump to solution

Are you NATing the source IP too? Does  internet host's source IP change when traversing environment via R1?

If not, then I am pretty sure you will have an asymmetric routing issue if your default gateway points to LB, whereby the return traffic from 10.10.10.30 will flick to LB from CP.

0 Kudos
Blason_R
Leader
Leader
‎2022-07-04 07:46 PM
In response to Paul_Kazzi
Jump to solution

Nope I am not natting Source IP. Source IP is gone be = Original. And I am pretty sure it would cause asymmetric routing issue however wanted to confirm once. Thanks though.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Paul_Kazzi
Participant
‎2022-07-04 08:41 PM
In response to Blason_R
Jump to solution

You could test  on R1 NATing source IP to an R1 source to force reply back to R1. Obviously subject to testing  as unsure of environment specifics 🙂

0 Kudos
Blason_R
Leader
Leader
‎2022-07-29 08:29 PM
In response to Paul_Kazzi
Jump to solution

I was right as it would definitely refers the route.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events