PDA

View Full Version : Natting Issue In Checkpoint Firewall



fauzzi
2011-01-25, 03:08
Hi Guys,

I have recently done a migration to checkpoint Power-1 UTM in this I am facing issues while creating the nat policies.We have few servers in internal Lan (not in DMZ )which users access from internet so first I have created a object nat(automatic nat) and installed the policy but in this case it was not accessible from internet, when i did a tcpdump on firewall i can see only SYN packet there is no acknowledgement back from server.when i run wireshark on server i can the server is sending the ACK but somehow it is not coming back to firewall.In this case I found that there is requirement of reverse routing towards firewall as when packet is coming back there is no route for the public ips to reach firewall which was not required in before migration.So to avoid this routing i need to conver the source to interal ip ,I tried to make a nat rule as:-

source:-any, dest:-public ip of server, src translation:-firewall internal interface , dst transltion:-private server ip.
But firewall wont allow to translate Any in source addr translation.

So my query what are the possibilities to create a rule for such scenarios where i need to do a source nat for all internet ips while coming inside.

The exact scenario is the :-
internet>firewall>Core switches>mpls link>Core switch>Server(to be accessed from outside)

Please share your valuable comments.

Regards,
Fauzzi

phoenix
2011-01-25, 08:45
We have few servers in internal Lan (not in DMZ )which users access from internet so first I have created a object nat(automatic nat) and installed the policy but in this case it was not accessible from internet, when i did a tcpdump on firewall i can see only SYN packet there is no acknowledgement back from server.when i run wireshark on server i can the server is sending the ACK but somehow it is not coming back to firewall.In this case I found that there is requirement of reverse routing towards firewall as when packet is coming back there is no route for the public ips to reach firewall which was not required in before migration.So to avoid this routing i need to conver the source to interal ip ,I tried to make a nat rule as:-

source:-any, dest:-public ip of server, src translation:-firewall internal interface , dst transltion:-private server ip.
But firewall wont allow to translate Any in source addr translation.

So my query what are the possibilities to create a rule for such scenarios where i need to do a source nat for all internet ips while coming inside.

The exact scenario is the :-
internet>firewall>Core switches>mpls link>Core switch>Server(to be accessed from outside)


So where does the reply from the server get routed, does the server site have it's own local Internet break out?

I take it before the migration you didn't have this service available i.e. it's never worked.

alienbaby
2011-01-25, 14:01
Nice, sounds like you're allowing access to an internal server from the Internet. Not the best risk management strategy..

The only way I can see to make this work is to install a reverse proxy close to the firewall. You can use a linux box running apache and mod_proxy; or squid; or netcat; or stunnel etc.

northlandboy
2011-01-25, 15:58
Does your internal network currently have a default route pointing somewhere other than this firewall?

If you absolutely must do this sort of NATting, it is possible with a network object rather than ANY, as I recall.

msjouw
2011-01-25, 17:59
Indeed, just create 2 network objects 0.0.0.0/1 and 128.0.0.0/1 (/1=128.0.0.0) and add these 2 to a gorup called Any_for-NAT and use that.

Probably the MPLS does not have a Default route set towards the firewall, have that fixed for your best solution.

When you will be using HTTPS to this server however there will be HUGE delays. a normal 10 second response will tunr into 15 minute response, don't know why bu it does. This was my experience with a OWA server mid last year and another one more recent.