Inbound Static Nat not working

[hurgh]

Hi All,

I have read a few posts that are here, and there seems to be a few people with a similar type of problem, but none of their solutions have worked for me.

Here is some information:

NGX R60 HA Cluster

Security Rule to allow an internal server to any on any port
Security rule to allow any to an external IP (The NAT IP) on any port

NAT Rule to allow Internal server to any on any port hide origin behind External IP (same one as listed in security rule)

NAT Rule to allow any to external IP (same one as before) on any port, source origin stays the same, and destination is nated to private IP of internal server.


I hope that makes sense. To me, that seems to be all I need to do.
I did also add a static host route to the gateway routers pointing the External IP to the cluster address of the firewalls, before I added this, I could not even get out to the internet from the internal server.

From inside going out, everything seems to work fine, but then from the outside coming in, the packet seems to get to the firewall and then nothing.

I have looked at some logging but nothing obvious jumped out at me.

Does any one have any suggestions as to what the issue may be, or of something else that I could look at or that I might have missed?

Thanks

-Hurgh-

[Thorpuse]

Check the "Translate Destination on Client Side" boxes in the Global Properties/NAT" Section.

[coldark]

Question: From your description it appears that you are using Manual NAT - i.e. you are manually creating an object for the NAT address of the destination server - and you are manually adding NAT rules in the address translation rulebase. If you are doing manual NAT then three things will also need to be "fixed" (although CheckPoint has got a check box which fixes two of these issues see Quick Fix paragraph below)

1) Incoming traffic destined for your "NAT" address will need to get to the firewall - this is normally achieved using proxy ARP (add a proxy arp entry so that your FW claims NAT packets to the external NIC) but can alternatively be achieved by putting a route on the upstream router (add a static route pushing traffic destined to NAT address to FW EXT IF.

2) Add a Static route ON THE FIREWALL to force "NAT" traffic through to the internal next hop (add a route which pushes any traffic with a destination of "NAT address" through to the internal Next Hop)

3) Fix Antispoofing so that NAT traffic is accepted on the internal interfaces (add all NAT Addresses to a SPECIFIC Antispoofing group for your internal interface(s)).

Quick Fix: Now as I said - earlier (and Thorpuse also mentioned in his post) there is a quick fix for two of these (2 + 3) above - have a look at Policy Menu > Global Properties > NAT and make sure that "Translate Destination on the Client side" is checked. If it is checked, then there is no requirement for (2+3). which means all you need to do is fix item 1.

EXCEPT: for some reason on SPLAT you still need to add a Route when you add a proxy arp (so for SPLAT do 1 and 2).

[hurgh]

Thanks for the replies.

I checked my global properties and the "Translate Destination on Client Side" under the Manual Nat section is not ticked, so I will tick that and install the policy shortly.

Coldark, just one quick question, I am not sure I understand what you mean by point number 2.

I am using SPLAT, so I can add routes easily (Via the WEB interface), but I am not sure I know what you mean by the "Internal Next Hop".

Is this "Internal Next Hop" going to be the Host that the NAT is going to? There is only one subnet behind the interface where the natted host is, so I can not point it to a router or anything.

Thanks again for you help.

-Hurgh-

[coldark]

See Diagram:

If the destination server (meaning the device that you are NATing for) is immediately behind the FW then yes, the "Next Hop" would be the server itself (see Diagram - situation (a)).

I can remember the exact SPLAT syntax atm - but it would be something like...

route add -host [NATADDRESS/32] gw [DEST SERVER ADDRESS] - Alternatively Add Route via the SPLAT Web Interface

If the destination server is behind an internal routing device then the route would point towards the internal router, as the next hop, instead (see Diagram - situation (b)).

route add -host [NATADDRESS/32] gw [INTERNAL ROUTER ADDRESS] - Alternatively Add Route via the SPLAT Web Interface