Solved

Firewall-1 Version 4 problem

Posted on 2002-05-15
12
465 Views
Last Modified: 2013-11-16
My company is using a Checkpoint Firewall with VPN v.4 on NT4.

For some reason, I am unable to set up static NAT mappings for hosts behind the trusted interface.

I need to flatten our setup (remove the DMZ) prior to us setting up a proper mechanism for updating our website securely, but I am unable to do so as I am unable to talk to any machines behind the trusted interface it I assign them a static NAT entry.  If I move a machine to the DMZ and perform the same steps, the NATting works.

I have carried out some testing from a machine outside the network and if a machine is on the DMZ the firewall performs ARP Proxy functionality  (i.e. if I set up a rule to allow ICMP requests, the MAC address of the responding client is the firewall's).  However, if a machine is on the trusted network, the static mamping will not work.
0
Comment
Question by:hstiles
  • 6
  • 6
12 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7010701
Is this trusted network covered by a generic hide NAT rule ?
If so, you'll need to put an 'anti-NAT' rule in for this particular host to stop it being hide NATted by the generic rule, and make sure this goes before the hide NAT rule.
Automatic NAT rules won't work with this - you'll need to recreate them all manually.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7010711
The trusted network isn't covered by a general Hide rule.  I have configured outbound access on the basis of a logical group called XXX_WAN (XXX=my company name) containing 'network' objects for all of the subnets within our WAN and these have a NAT rule assigned hiding them behind the firewall's external IP.  Would this be the cause of the problem?  The DMZ isn't part of this logical group.

So could my problem be cuased by the fact that I have a couple of rules right near the top of my security policy allowing hosts general ICMP, NTP and DNS outbound access and that the automatic NAT rules created by these firewall rules are conflicting with the static NAT entries that I am trying to define later in the security policy?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7010757
Yes.
The auto NAT rules will always appear first, so packets leaving your trusted network are being instantly hidden behind your external fw address.
Then the static NAT rules for your host is kicking in, but as the addresses have already been translated, it won't do anything.
You need the static NAT rule for your object before the general hide NAT rule - check in the address translation tab.
The auto rules aren't that flexible - they're only good for setting up simple NAT.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7011404
No luckk.  I reconfigured the network object properties so that the firewall wasn't performing NAT at the network object level.  I then loaded a very simple rule granting my machine full access through the firewall but without creating a NAT rule of any kind for my machine.  No response to a ping, which is what I was expecting.  I then modified my machine's settings so that it hid behind the firewall's external IP.  As soon as I loaded the firewall policy I got a response to pings.

Finally, I set up a static NAT entry for my machine, rather than dynamic and modified the routing table on the server so that it knew to direct traffic destined for the address in question back to my machine.  Nothing.

If I do the same for a machine with an address on our DMZ, it works.

I heard somewhere that Firewall-1 needs to be told that it is to perform Proxy Arp for machines behind each interface.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7013302
Yes - you do need proxy arp for static NAT.
Under NT, you do this by modifying the local.arp file -

http://www.phoneboy.com/faq/0008.html


0
 
LVL 13

Author Comment

by:hstiles
ID: 7013323
Still no luck.  I found the local.arp file and it didn't have an entry for the static mapping I wanted to create.

However, I added this line and modified the firewall objects and ruleset so that there wasn't a dynamic NAT rule causing a problem.  However, as soon as I assign a static NAT mapping to my machine it cannot longer access the internet.

My belief is that there is something wrong with the installation of Firewall-1 on this machine.  I started working at this company 4 months ago and the firewall wasn't configured properly then and still behaves erratically at times.

If you can think of anything else let me know, otherwise I'll award you the points for your help and sit and wait for our new Firebox :)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 7013340
Three steps to set up static NAT -

External fw address - 20.20.20.20
External address of host - 20.20.20.21
Internal address of host - 192.168.1.1

1)  Proxy ARP

This means the external interface of the firewall will reply to ARP requests for the external address of your host object.

2)  Static one to one route

This means that when the firewall receives packets destined for the IP address that it proxies ARP for, it will route them directly to the internal host.
eg - route add 20.20.20.21 mask 255.255.255.255 192.168.1.1

3)  2 firewalls rule to do the NAT

If you use an automatic static NAT rule, it will show you how to do it, and what rules you need to manually create so you can shift them around.

As a general rule, during troubleshooting, make sure that you log everything so you can see what's going wrong.

Run 'fw ver' - I'm curious as to what version you're running.  4.0 ?  4.1 ?
There are various bugs to take into consideration.
Also - 4.1 support expires at the end of the year, but if you've got software subscription in place, the upgrade to Check Point NG is free.
NG is better, faster, and easier to use.

0
 
LVL 13

Author Comment

by:hstiles
ID: 7013564
Checkpoint VPN-1 and FIrewall-1 version 4.0 build 4031 (VPN). I know it's old and if not already so, soon to be unsupported.

The reason I think there is something instrinsically wrong with the firewall is that I've followed the steps above and they work perfectly for a machine on the service network.  Now surely I simply need to alter 1)the internal address under the network object properties and the route entry to move the object to the trusted interface.  However, the machine simply cannot talk.

If you set up a rule to allow inbound access and do an arp -c you'll see the firewall external NIC MAC address (i.e. it's performing ARP proxy correctly).  If you move the machine to thetrusted interface, the firewall simply will not perform ARP Proxy.

I'm sorely tempted to say f**k it.  The firewall hasn't been built properly and the MD has all but agreed to allowing us to replace it.  Checkpoint also want to charge us £7500 to upgrade it to the latest version.  We can get a Firebox 4500 for that and have a spare powerful server for use elsewhere.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7013837
£7500 for an upgrade ?
You should be able to back date software subscription, rather than having to buy the whole new product.  Check with your suppliers, or I could check if you send me the certificate key + a letterheaded fax saying you give me permission to look at your license records.
Fireboxes do look nice, mind you - I saw some at Infosec.
Otherwise, NT 4 SP6a, Check Point 4.1 SP5 definitely works !
0
 
LVL 13

Author Comment

by:hstiles
ID: 7013861
Fireboxes work very nicely too :)

They're dead easy to upgrade and version 5 SP1 makes it a really good, flexible product now that they've finally sorted out some of the NATting issues that plagued 4.6x.

In fact the only problem I have with the firebox relates to the fact you have to reboot the system whenever you make a change to the ruleset.  Still it takes only a few seconds.

To be honest, I'd rather drop Firewall-1 ASAP.  I know where I stand with Watchguard and I have big plans with regards to VPN connectivity for remote users and offices that the Firebox figures in.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 300 total points
ID: 7020200
Does Firebox offer any kind of end point security - ie personal firewalls ?
Just out of interest, that's all !
If you only have one firewall, then you probably don't need Check Point, but make sure you chose an alternative which is both cost effective and suitable for your future needs.
Going from 4.0 through to NG will be a pain in the arse - it would be quicker to commission a new firewall.  If you need a competitive quote on anything let me know - if you buy direct you'll be paying rrp.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7035014
Firebox offer a range of appliances - the smallest being a SoHo box with a limit of 50 users. They also offer a mobile VPN client which enables you to up the security from a client from 56-bit pptp up to 168-bit l2tp which is about £30 per user (not much).  Firebox to firebox is automatically at the higher level.

I know the Firebox is a good product.  It costs the same as the Checkpoint software, which means we get a Dell server back for use elsewhere, it also features high availability options with automatic failover.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now