CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: NAT on a server object

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default NAT on a server object

    I have a Checkpoint firewall with server A hanging off the dmz interface
    I have a connection to a Cisco ASA firewall with server B hanging off the internal network

    Server B can ping server A but not the other way around.
    I can remote desktop in both directions and share files in both directions. so i know Routing and the Access LIst is correct between both firewalls.
    Its just ping thats not working but one of the applications on server B relys on ping from server A

    So i amended the object on the checkpoint firewall so that i would NAT the server address behind another address namely itself. Ping worked for a few seconds and then it kicks the server off the switch taking away the static address and replacing it with a 169.x.x.x address

    This is bizarre. Has anyone else seen this before?

    PS - i have no idea why i ticked the box to do NAT but i need the ping working and am just trying anything i can.

    any help appreciated

    Kevin
    Last edited by oharek; 2013-10-24 at 15:30.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,312
    Rep Power
    17

    Default Re: NAT on a server object

    Whilst I would agree that routing is correct, if Ping is not working then you cannot state that the Filtering is correct. It allows the Remote Desktop / File Share etc but not ping it would seem.

    What do you see in the Check Point Log when you try and ping from ServerA to ServerB
    Do you see the ICMP go out of the Firewall

    When you say a Connection to an ASA, then is this an Ethernet Connection or a VPN Connection?

    Personally I would get rid of your NAT. When you say you are NATting the Object behind itself then you have enabled Automatic Static NAT and then given the same IP as in the Object. This will cause the Firewall to Proxy ARP for the IP of the Server so I would expect that to cause you problems as now have two boxes with the same IP effectively.
    Or does the itself refer to the Check Point Firewall?
    Either way the fact that the Remote Desktop / File Share works means no need for the NAT to take place and I think that the NAT is a red herring.

    From what you have said then this is how I would see what you are seeing

    1.) The Connection between the ASA and the Check Point is a VPN.
    2.) Under Implied Rules in Global Properties then the Accept ICMP is enabled and set too First on the Check Point


    What you will get here is as follows

    1.) Server B sends an ICMP request to Server A.
    2.) Cisco ASA encrypts the ICMP and forwards across the VPN to the Check Point.
    3.) The Check Point matches the Implied Rule and Accepts the packet, and forwards to ServerA, Rule is an Any, Any, ICMP Accept rule so doesn't matter if the packet arrives over a VPN or not.
    4.) Server A responds and the ICMP reply arrives at the Check Point which identifies as a reply
    5.) Check Point Gateway encrypts the ICMP reply and sends to the Cisco ASA
    6.) Cisco ASA decrypts an forwards to Server B
    7.) Server B sees ICMP reply and shows a success


    1.) Server A sends an ICMP request to Server B
    2.) Check Point matches the ICMP request to the Implied Rule ( it is above the VPN Rules )
    3.) The Check Point routes the ICMP request out of the External Interface WITHOUT encrypting the traffic
    4.) Traffic never arrives at the ASA
    5.) Server A gets no ICMP reply so Ping Fails

    This would get you the scenario you are seeing, but would allow Remote Desktop / File Sharing to work as would not hot the implied rules and so would match into the explicit rules

  3. #3
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default Re: NAT on a server object

    Quote Originally Posted by mcnallym View Post
    Whilst I would agree that routing is correct, if Ping is not working then you cannot state that the Filtering is correct. It allows the Remote Desktop / File Share etc but not ping it would seem.

    What do you see in the Check Point Log when you try and ping from ServerA to ServerB
    Do you see the ICMP go out of the Firewall

    When you say a Connection to an ASA, then is this an Ethernet Connection or a VPN Connection?

    Personally I would get rid of your NAT. When you say you are NATting the Object behind itself then you have enabled Automatic Static NAT and then given the same IP as in the Object. This will cause the Firewall to Proxy ARP for the IP of the Server so I would expect that to cause you problems as now have two boxes with the same IP effectively.
    Or does the itself refer to the Check Point Firewall?
    Either way the fact that the Remote Desktop / File Share works means no need for the NAT to take place and I think that the NAT is a red herring.

    From what you have said then this is how I would see what you are seeing

    1.) The Connection between the ASA and the Check Point is a VPN.
    2.) Under Implied Rules in Global Properties then the Accept ICMP is enabled and set too First on the Check Point


    What you will get here is as follows

    1.) Server B sends an ICMP request to Server A.
    2.) Cisco ASA encrypts the ICMP and forwards across the VPN to the Check Point.
    3.) The Check Point matches the Implied Rule and Accepts the packet, and forwards to ServerA, Rule is an Any, Any, ICMP Accept rule so doesn't matter if the packet arrives over a VPN or not.
    4.) Server A responds and the ICMP reply arrives at the Check Point which identifies as a reply
    5.) Check Point Gateway encrypts the ICMP reply and sends to the Cisco ASA
    6.) Cisco ASA decrypts an forwards to Server B
    7.) Server B sees ICMP reply and shows a success


    1.) Server A sends an ICMP request to Server B
    2.) Check Point matches the ICMP request to the Implied Rule ( it is above the VPN Rules )
    3.) The Check Point routes the ICMP request out of the External Interface WITHOUT encrypting the traffic
    4.) Traffic never arrives at the ASA
    5.) Server A gets no ICMP reply so Ping Fails

    This would get you the scenario you are seeing, but would allow Remote Desktop / File Sharing to work as would not hot the implied rules and so would match into the explicit rules
    Yes i do see the ICMP go out of the Firewall
    Its an Ethernet Connection to the ASA
    You are correct - i am NATTing the Object behind itself

    So i will take your advice on board and also think about amending the global properties on the problem Checkpoint. Because I have 5 Checkpoint firewalls in my network. 4 of them have never needed this done before for any server. So i checked the global properties for the other 4.

    All 4 have a setting say:
    IP Pool NAT
    Enable IP Pool NAT ticked


    But the problem firewall does not have this ticked. So this must be why i was have this issue

    regards,
    Kevin

Similar Threads

  1. NAT Object Question
    By cooluswiz in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2010-12-16, 19:26
  2. Automatic Static NAT for network object
    By ice_o in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2010-01-28, 07:58
  3. Managment server object name
    By zarcoff in forum Miscellaneous
    Replies: 1
    Last Post: 2007-02-28, 08:52
  4. Clarify Static NAT on network object!
    By Brentd in forum NAT (Network Address Translation)
    Replies: 2
    Last Post: 2006-10-06, 03:09
  5. Replies: 3
    Last Post: 2005-11-18, 00:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •