Nokia cluster hide NATs to physical address

[bod43]

Hello,


Hope this is the correct forum for this rather than the Nokia one.

I have just installed a Nokia cluster and all seems pretty reasonable except that the NATted address for outbound Internet traffic is the physical address of the particular node and NOT the cluster address which would seem to be required. I have left the properties of the network being NATted as
Hide Behind gateway

and not specified an address.

Clearly I could fix it by entering the cluster address however I do not wish to do this as I have a DMZ that I want to NAT to as well and it would then require manual NAT rules.

Is there anthing I am missing?.

[mcnallym]

No you are seeing what I would expect.

If you use an AutoNAT and then specify Hide NAT and a specific IP address, why would that need Manual NAT then for the DMZ?

Why could you still not use AutoNAT and Static for the DMZ.

[sebastan_bach]

hi i am new to checkpoint and i want to know when we are having a cluster and we are using hide nat behind the gateway. then the packets will be natted to the external interface ip address. so when the return traffic comes back to the gateway will the gateway process the packet.

cause i guess as per the documentation when we configure cluster the outside router points route to the internal networks or natted address pointing to the virtual ip on the external interface.

so is it necessary for us to use the virtual ip address as the nat address.

i am not sure abt this can someone pls guide me on this.,

regards

sebastan

[bod43]

Thanks for the reply.

mcnallym said
"why would that need Manual NAT then for the DMZ"
I did not explain properly. The 'DMZ' has public addresses and I want to hide NAT from the Internal networks to the DMZ and to the Internet.

So it looks like I should:

On 'Internal' Network Objects choose
Add Automatic rules and specify the Cluster IP address to cover the Internet.
Add manual rules for the Natting to my 'DMZ'. This is easy enough.
Its not really a DMZ but I thought that was the easiest way to describe it.

Thanks again.

[bod43]

Quote:

Originally Posted by sebastan_bach

hi i am new to checkpoint and i want to know when we are having a cluster and we are using hide nat behind the gateway. then the packets will be natted to the external interface ip address. so when the return traffic comes back to the gateway will the gateway process the packet.

cause i guess as per the documentation when we configure cluster the outside router points route to the internal networks or natted address pointing to the virtual ip on the external interface.

so is it necessary for us to use the virtual ip address as the nat address.

i am not sure abt this can someone pls guide me on this.,

sebastan

"then the packets will be natted to the external interface ip address. so when the return traffic comes back to the gateway will the gateway process the packet"

I would think that in most circumstances you would want
the outgoing packets hide natted to the Cluster address.
Otherwise in the event of a failover or dynamic load re-balance
the sessions will disappear.

"so is it necessary for us to use the virtual ip address as the nat address."
So yes - I think so.

[bod43]

IPSO Cluster R65

I am still struggling with this.

If I have:-
- Hide nat for network set to "Hide behind gateway"

- Cluster Object 3rd party configuration
Hide Cluster member's outgoing traffic behind the Cluster's IP address.

I still get the source address of the traffic as one of the physical addresses depending on the gateway in use.

If I force the use of the Cluster address with
Hide nat for network set to "Hide behind IP address" and specify the
Cluster address then I get the NAT I want.

However - I also get web browsing performance issues that I think is related to log messages with:-

Information: TCP packet out of state: Unexpected post SYN packet - RST or SYN expected tcp_flags: ACK

I get a normal "Accept" from one node and the above fail from the other node at the exact same time.

I have found:-
Solution ID: sk34203 Previous Next
Out of State drops on Nokia IPSO Clustering (not VRRP)

The IPSO OS has a parameter that can be set to ensure that the Security Gateway performs the Flush and Ack, so that the SYN can be "sync'd" prior to the asymmetric SYN-ACK returning to the Security Gateway.

To enable "on the fly":
ipsctl -w net:ip:cluster:force_flush 1

I have also disabled Dynamic work assignment in favour of static.

This has made no difference to the "Unexpected post SYN packet "
messages or the performance.

Performance is fine and there are no messages if the NAT is left as
- Hide nat for network set to "Hide behind gateway"

But as described I cannot see that failover can occur with the
observed NAT behaviour.

VRRP here we go I think.

Thanks.