PDA

View Full Version : Checkpoint R77 VSX NAT ISSUE



onehet
2013-12-01, 12:51
Hi,

I built a virtual system, we have a external inteface (default route) and some internal interfaces.

We have a strange behaviour:

- Traffic from inside network is going through the virtual system.
- If I check firewall log on the tracket, I can see, firewall is allowing that traficc and making source nat.
- If I do a "fw monitor" on the virtual system, I can see traffic going out trough external interface but without making NAT (origial source ip address).

Where can I found more information about this behaviour o places where I can check depper in the firewall?

Thank you.

mcnallym
2013-12-02, 09:23
When I have seen this then is normally an issue with SecureXL.

Does Tracker show that the traffic has been natted ( make sure that the NAT columns are viewable and does tcpdump on the External interface show the traffic as being NATted.

If they do then will likely just be SecureXL

fwaccel off

will turn off SecureXL. Check with the fw monitor

fwaccel on

to turn on the SecureXL again

PhoneBoy
2013-12-04, 06:49
I'd like to get clarification on the question here:

1. Is it that there is NO NAT happening at all?
2. Is it that "fw monitor" is showing NO NAT even though it is happening?
3. If #2, can you verify with tcpdump that NAT is happening?

onehet
2013-12-04, 08:43
When I have seen this then is normally an issue with SecureXL.

Does Tracker show that the traffic has been natted ( make sure that the NAT columns are viewable and does tcpdump on the External interface show the traffic as being NATted.

If they do then will likely just be SecureXL

fwaccel off

will turn off SecureXL. Check with the fw monitor

fwaccel on

to turn on the SecureXL again

If fwaccel off, fw monitor shows us ok the traffic (doing NAT and undoing NAT for traffic back to the workstation), but connection is not working.

If I do tcpdump in the next inside gateway, I can see traffic going outside but I can not see traffic going back.

Ruting table is the virtual is Ok

PhoneBoy
2013-12-05, 10:43
If fwaccel off, fw monitor shows us ok the traffic (doing NAT and undoing NAT for traffic back to the workstation), but connection is not working.

If I do tcpdump in the next inside gateway, I can see traffic going outside but I can not see traffic going back.

If the traffic isn't coming back to the VSX gateway, then I suspect the problem is not in VSX but somewhere between the VSX gateway and the destination host.
You may have to troubleshoot at each hop or use traceroute or something to see where the problem is.

I've heard that fw monitor may not necessarily show when NAT occurs, which is why I asked what tcpdump showed. :)