CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
2. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
3. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > NAT (Network Address Translation)
Reload this Page Some packets don't get NATted correctly
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-13
roadrunner roadrunner is offline
Senior Member
  
Join Date: 2005-08-12
Posts: 162
Rep Power: 4
roadrunner has an average reputation (10+)
Default Some packets don't get NATted correctly
Some packets don't get NATted correctly
Symptoms: Some untranslated packets from the dmz are dropped by the anti-spoofing on the internet router. Some tcp sessions get lost in space after some random time.
Some packets from some sessions are not translated although the logs entries contains the expected address translation values.


fw1 log:


source:client_IP Dst:www_IP xlated source:client_IP xlated dst:dmz_IP
source:access_router dst:dmz_IP proto:icmp code:3/13
cisco syslog: [access_router] %SEC-6-IPACCESSLOGP: list 120 denied tcp dmz_IP(80) -> client_IP(1830), 1 packet
snoop/tcpdump/sniffer on internet interface:

source:client_IP dst:www_ip SYN
source:www_IP dst:client_ip SYN+ACK
source:client_IP dst:www_ip ACK
source:client_IP dst:www_ip GET /
*source:dmz_IP dst:client_ip ACK (without tcp payload) - this packets comes 0.2 second after the GET /
source:access_router dst:dmz_ip icmp 3/13
*source:dmz_IP dst:client_ip ACK (without tcp payload)
source:access_router dst:dmz_ip icmp 3/13
*source:dmz_IP dst:client_ip ACK (without tcp payload)
source:access_router dst:dmz_ip icmp 3/13
*source:dmz_IP dst:client_ip RST
snoop/tcpdump/sniffer on dmz interface:

source:client_IP dst:dmz_ip SYN
source:dmz_IP dst:client_ip SYN+ACK
source:client_IP dst:dmz_ip ACK
source:client_IP dst:dmz_ip GET /
source:dmz_IP dst:client_ip ACK (without tcp payload) - this packets comes 0.2 second after the GET /
source:access_router dst:dmz_ip icmp 3/13
source:dmz_IP dst:client_ip ACK (without tcp payload)
source:access_router dst:dmz_ip icmp 3/13
source:dmz_IP dst:client_ip ACK (without tcp payload)
source:access_router dst:dmz_ip icmp 3/13
source:dmz_IP dst:client_ip RST
It seems the problem does not affect sessions without the 0.2 second delay (the usual delay is 0.01 second).

Answer


--------------------------------------------------------------------------------
Changing all the 'install on' fields from 'gateways' or 'all' to 'target','your firewall' seems to solve the nat issue.
--------------------------------------------------------------------------------


-- RobertGraham - 13 Feb 2004


FAQForm
FAQs.Class: NetworkAddressTranslationFAQs, TroubleshootingFAQs
FAQs.OS:
FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 06:22.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0