CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: R77.30, NTP and NAT issue

  1. #1
    Join Date
    2006-09-26
    Posts
    3,163
    Rep Power
    16

    Default R77.30, NTP and NAT issue

    I have a very strange situation and need some help.

    I have a host behind the firewall 192.168.75.82 that needs to access the followings hosts for NTP service:

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.1.1.1 --> translated destination to 4.1.1.1

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.1.1.2 --> translated destination to 4.1.1.2

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.1.1.3 --> translated destination to 4.1.1.3

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.2.1.1 --> translated destination to 4.1.1.2

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.2.1.2 --> translated destination to 4.1.1.3

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.2.1.3 --> translated destination to 4.1.1.1

    routing is in place and confirms good and firewall rules and NAT in place

    Problem is that it is not working 100%, probaby 75% or 80% of the times.

    When it is working, from fw monitor I see this:

    [vs_0][fw_2] eth0:i[76]: 192.168.75.82 -> 1.1.1.1 (UDP) len=76 id=0
    [vs_0][fw_2] eth0:I[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0
    [vs_0][fw_2] eth1[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0
    [vs_0][fw_2] eth1:O[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0


    When it is not working, from fw monitor I see this:

    [vs_0][fw_0] eth0:i[76]: 192.168.75.82 -> 1.2.1.3 (UDP) len=76 id=0
    [vs_0][fw_0] eth0:I[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0


    basically no oO. In other words, firewalls is not processing the packet.

    As mentioned before, it is working about 80% of the times.

    Thoughts?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: R77.30, NTP and NAT issue

    Quote Originally Posted by cciesec2006 View Post
    I have a very strange situation and need some help.

    I have a host behind the firewall 192.168.75.82 that needs to access the followings hosts for NTP service:

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.1.1.1 --> translated destination to 4.1.1.1

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.1.1.2 --> translated destination to 4.1.1.2

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.1.1.3 --> translated destination to 4.1.1.3

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.2.1.1 --> translated destination to 4.1.1.2

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.2.1.2 --> translated destination to 4.1.1.3

    src: 192.168.75.82 --> translated src to firewall interface
    dst: 1.2.1.3 --> translated destination to 4.1.1.1

    routing is in place and confirms good and firewall rules and NAT in place

    Problem is that it is not working 100%, probaby 75% or 80% of the times.

    When it is working, from fw monitor I see this:

    [vs_0][fw_2] eth0:i[76]: 192.168.75.82 -> 1.1.1.1 (UDP) len=76 id=0
    [vs_0][fw_2] eth0:I[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0
    [vs_0][fw_2] eth1[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0
    [vs_0][fw_2] eth1:O[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0


    When it is not working, from fw monitor I see this:

    [vs_0][fw_0] eth0:i[76]: 192.168.75.82 -> 1.2.1.3 (UDP) len=76 id=0
    [vs_0][fw_0] eth0:I[76]: 192.168.75.82 -> 4.1.1.1 (UDP) len=76 id=0


    basically no oO. In other words, firewalls is not processing the packet.

    As mentioned before, it is working about 80% of the times.

    Thoughts?
    When it is not working, something in Gaia/Linux is "eating" the NTP packet as it is not appearing at o. So it has nothing to do with Check Point firewall code or SecureXL. Is the firewall dynamically routed?
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2006-09-26
    Posts
    3,163
    Rep Power
    16

    Default Re: R77.30, NTP and NAT issue

    Quote Originally Posted by ShadowPeak.com View Post
    When it is not working, something in Gaia/Linux is "eating" the NTP packet as it is not appearing at o. So it has nothing to do with Check Point firewall code or SecureXL. Is the firewall dynamically routed?
    LOL.... Gaia/Linux. To me, it is Checkpoint regardless.

    No I do not use dynamic routing on the firewall. Everything is static route.

    I also discovered. If I do not NAT outbound NTP traffic to the firewall interface but instead to an un-used IP address on the same network as the firewall interface but I use routing on the next hop route to route that traffic back to the firewall, then NTP will work 100% of the time. Therefore, it is safe to assume that there is a difference with hide NAT'ing to the firewall interface and hide NAT to an un-used IP address on the same network as the firewall interface. Go figure.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •