accessing external ip from internal

[gunnar]

Hi

we are running NGX R65 on SPLAT 2.6

I have a web server with an internal ip: int.int.int.160 with an automatic static Nat to ext.ext.ext.160

Now I try to access the external ip from the internal ip like:
on int.int.int.160: wget ext.ext.ext.160\index.html
I don't get any response

If I do this request without any additional nat rules I get two entries in the Tracker
1. OK: SRC: int.int.int.160 DST: ext.ext.ext.160, NAT rule 14, add. NAT rule 15
14 and 15 are automatic rules, 14 translates INT to EXT and 15 EXT to INT
2. DROP: SRC: Firewall DST: ext.ext.ext.160 ICMP: Host Unreachable
ICMP Type: 3
ICMP Code: 1
message_info: ICMP error does not match an existing connection


Global properties are:
Allow bi-directional nat: YES
Translate destination on client side: YES
Automatic ARP: YES
Merge manual proxy arp: NO

Manual nat rules: translate destination on client side: NO

I have started a thread on the Checkpoint forum without a result, there are some more dumps. If you are interested have a look at https://forums.checkpoint.com/forums...=5858&tstart=0

Thanks for you help!

[Thorpuse]

Put an "anti-NAT" rule at the top of your rulebbase, to not translate packets from your internal nets to your web server(s). The access the web servers using the internal IP.

[Thorpuse]

Oops... hang on, you're trying to go from your own webserver, to your own webserver??? That doesn't make sense. If you really need to do this (for host header resolution or something similar) just create a hosts file on your webserver for local resolution of the hostname to the internal address.

[gunnar]

> Oops... hang on, you're trying to go from your own webserver, to your own webserver??? That doesn't make sense. If you really need

e.g. the mail server does some lookups on the dns name, as well some processes on the webserver for pdf generation which pull images by http with the dns name

one solution would be to add an internal DNS server with the internal ips or as you proposed a hostfile. due to we have a lot of dns entries and ips it would be a lot of work to do

before we were running NGX R60 on IPSO and there it worked without a problem.

we have tried so far several nat rules but non worked. the most promissing was:

original:
src: int.int.int.160 dst: ext.ext.ext.160
tranlslated:
int.int.int.1 (gateway address of this subnet, with hide nat) dst: int.int.int.160 (static)

but if you monitor the connection with fw monitor, you can see that the source is rewritten, but destination becomes always ext.ext.ext.160
it is always moved to eth0 which is our external interface and gets lost there (no drop visible)

[melipla]

Quote:

Originally Posted by gunnar

original:
src: int.int.int.160 dst: ext.ext.ext.160
tranlslated:
int.int.int.1 (gateway address of this subnet, with hide nat) dst: int.int.int.160 (static)

Seems like a lot of work just to go to http:// localhost . If the server absolutely needs to access the "external IP" then I would probably put two int.int.int.### IPs on the host and keep them separate NAT rules. Then I would simplify your current NAT to be something more realistic:
orig src: int.int.int.any orig dst: int.int.int.any xlate src: orig xlate dst: orig
orig src: int.int.int.160 orig dst: any xlate src: ext.ext.ext.160 xlate dst: orig
orig src: any orig dst: ext.ext.ext.160 xlate src: orig xlate dst: int.int.int.160

As for settings, I'd turn off bi-directional NAT if you're not using it and enable Translate dst on client side for Manual NAT.

Aside from the host accessing itself, does the NAT work out to the internet?

[gunnar]

we have now a case opened at Checkpoint. R60 behaves differently as R65.
I will post an update as soon as we get a response from Checkpoint.