Public to private NAT

[TLS82]

Hi,

I'm not very familiar with Checkpoint's innerworking (i'm more at ease in a Cisco environment) and I'm having some problems with a NAT configuration any help is appreciated. (I'll be getting some training on checkpoint in 2 months time)

In my current setup using a NGX65 HA cluster i have the DMZ with public adressing, my problem is i nedded a couple of servers to be able to contact servers on the internal WAN (they need routing to get to them).
I tried creating a manual hide rule, to NAT all these IPs behind a private IP when they try to contact the specified servers on the private network (the connections are always started by the servers on the DMZ), but the firewall is droping the the packet with info "message_info: Address spoofing", i have translate destination on client side selected on the global properties.
Any ideas on how to work around this? Would specifying NAT (static or hide)on the objects that represent the DMZ servers to a private IP just NAT the communications to the inside ?


Thanks,

Tiago

[mcnallym]

You will need to update the topology setting.

[TLS82]

How do I do that?

Thanks,

Tiago

[mcnallym]

Go into the Firewall Object

Select Topology

Locate the Get Interfaces and select Get Interfaces with Topology.

Accept the changes and install policy.

[MarioL]

If you use automatic NAT (the NAT tab in the objects) this always leads to generic rules. In this case you need a specific rule for certain networks or objects.

From what you describe, NAT Hide is indeed the right choice:

Servers | Internal WAN | any | Hide IP | = | =

Then check the logs and see where it's being dropped. The logs will tell you which interface dropped the packets and why. Also if you check the Xlated Src and Xlated Dst you will be able to know if NAT has occurred and if its working properly.

Then you can adjust the anti-spoofing accordingly. By going to the topology TAB on the firewall object, as mcnallym said.

PS Are you Portuguese by any chance?

[TLS82]

Thanks mcnallym and MarioL, I've tried to update the topology but I still get the same results. Meanwhile I've disabled the anti-spoofing on the required interface to make it work for now, but I would still like to get it working properly :-)

I've logged the rule the allows the traffic through and what shows up in the logs is:
1st the packet being accepted on the correct interface
2nd, right below it the packet being denied on another interface (in this case the external interface that connects to the outside world).

What doesn't make any sense to me is why it's showing up as coming from the outside interface, i would think at most it woul appear as though it was coming from the interface where the network that contains the address it is being translated to is attached to... Any help on what could be going on is appreciated.

MarioL- how can I check the Xlated Src and Xlated Dst ?

Thanks,

Tiago

PS- MarioL - yes I am Portuguese, you too ?