CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Static NAT fails for outgoing connections through gateway with ISP Redundancy

  1. #1
    Join Date
    2012-08-30
    Posts
    13
    Rep Power
    0

    Default Static NAT fails for outgoing connections through gateway with ISP Redundancy

    Hi All:
    I want to use double link to realize redundancy, the Active/Standby mode, by default to use one of the lines as the main line, but when the main problems and automatically switch to Backup line, internal host and network machine use manual Static NAT to realize and the external access!
    Configuration of please give detailed configuration steps. Thank you!

  2. #2
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: Static NAT fails for outgoing connections through gateway with ISP Redundancy

    sk25152 within the Check Point knowledgebase gives what is needed to configure for getting ISP Redunancy to work, once configured ISP Redundancy within the Object.

    You also need to manually configure the Proxy Arp conifguration as you will be using Manual NAT Rules. sk30197 tells how to configure Manual Proxy Arp on SPLAT/Gaia. If on IPSO then can configure Proxy Arp via Voyager.

  3. #3
    Join Date
    2012-08-30
    Posts
    13
    Rep Power
    0

    Default Re: Static NAT fails for outgoing connections through gateway with ISP Redundancy

    Thanks mcnallym!
    I look sk25152,but I didn't understand dynamic_objects.I'll according this KB to test, and If I use hide NAT Everythings is ok,But ICMP not working,can you tell me why(single firewall)!

  4. #4
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: Static NAT fails for outgoing connections through gateway with ISP Redundancy

    All the Dynamic Objects are used for is to represent the two ISP connections. The dynamic objects should be named the same as you label the ISP lines in the ISP Redundancy configuration.

    If you use Hide NAT with ISP Redundancy then you should be set to Hide behind Gateway. When doing a Static NAT then will need to be done manually so you must configure the $FWDIR/local.arp file and then restart the gateway after ammending the file on the gateway. Otherwise the gateway does not respond to the reply traffic coming back.

    Without knowing the rest of the configuration / policy etc then I would be guessing regarding the ICMP.

    However is the rule that allows the ICMP traffic out logged?
    If so what do you see in the tracker looking at the logs. If ICMP is allowed by the rulebase then should work fine once the ISP Redundancy is configured as per the sk.
    If you do an fw monitor for the icmp traffic destination on the gateway then what do you see.
    Also if you do an fw ctl zdebug + drop | grep dest+ip then do you see anything being dropped by the gateway.
    If don't see anything being dropped then do a tcpdump on the external interface of the gateway to see if recieving a reply back from the icmp target.

    If you see the traffic go out but not come back then sounds like an arp issue and you need to ensure that the local.arp is configured for the ip that natting behind.

    Under the Policy / Global Properties then under NAT ensure that the merge manual nat option is ticked immediately beneath the automatic arp option.

Similar Threads

  1. Replies: 0
    Last Post: 2012-08-06, 05:15
  2. ISP Redundancy Outgoing NAT
    By g2009 in forum ISP Redundancy
    Replies: 1
    Last Post: 2011-01-09, 06:30
  3. ISP Redundancy Outgoing Static NAT
    By emreb in forum ISP Redundancy
    Replies: 4
    Last Post: 2010-01-23, 20:38
  4. Replies: 1
    Last Post: 2009-10-13, 03:47
  5. Problems configuring Static NAT with ISP redundancy on R65 HA cluster
    By salvatore in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2009-06-26, 10:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •