hstiles
asked on
Firewall-1 Version 4 problem
My company is using a Checkpoint Firewall with VPN v.4 on NT4.
For some reason, I am unable to set up static NAT mappings for hosts behind the trusted interface.
I need to flatten our setup (remove the DMZ) prior to us setting up a proper mechanism for updating our website securely, but I am unable to do so as I am unable to talk to any machines behind the trusted interface it I assign them a static NAT entry. If I move a machine to the DMZ and perform the same steps, the NATting works.
I have carried out some testing from a machine outside the network and if a machine is on the DMZ the firewall performs ARP Proxy functionality (i.e. if I set up a rule to allow ICMP requests, the MAC address of the responding client is the firewall's). However, if a machine is on the trusted network, the static mamping will not work.
For some reason, I am unable to set up static NAT mappings for hosts behind the trusted interface.
I need to flatten our setup (remove the DMZ) prior to us setting up a proper mechanism for updating our website securely, but I am unable to do so as I am unable to talk to any machines behind the trusted interface it I assign them a static NAT entry. If I move a machine to the DMZ and perform the same steps, the NATting works.
I have carried out some testing from a machine outside the network and if a machine is on the DMZ the firewall performs ARP Proxy functionality (i.e. if I set up a rule to allow ICMP requests, the MAC address of the responding client is the firewall's). However, if a machine is on the trusted network, the static mamping will not work.
ASKER
The trusted network isn't covered by a general Hide rule. I have configured outbound access on the basis of a logical group called XXX_WAN (XXX=my company name) containing 'network' objects for all of the subnets within our WAN and these have a NAT rule assigned hiding them behind the firewall's external IP. Would this be the cause of the problem? The DMZ isn't part of this logical group.
So could my problem be cuased by the fact that I have a couple of rules right near the top of my security policy allowing hosts general ICMP, NTP and DNS outbound access and that the automatic NAT rules created by these firewall rules are conflicting with the static NAT entries that I am trying to define later in the security policy?
So could my problem be cuased by the fact that I have a couple of rules right near the top of my security policy allowing hosts general ICMP, NTP and DNS outbound access and that the automatic NAT rules created by these firewall rules are conflicting with the static NAT entries that I am trying to define later in the security policy?
Yes.
The auto NAT rules will always appear first, so packets leaving your trusted network are being instantly hidden behind your external fw address.
Then the static NAT rules for your host is kicking in, but as the addresses have already been translated, it won't do anything.
You need the static NAT rule for your object before the general hide NAT rule - check in the address translation tab.
The auto rules aren't that flexible - they're only good for setting up simple NAT.
The auto NAT rules will always appear first, so packets leaving your trusted network are being instantly hidden behind your external fw address.
Then the static NAT rules for your host is kicking in, but as the addresses have already been translated, it won't do anything.
You need the static NAT rule for your object before the general hide NAT rule - check in the address translation tab.
The auto rules aren't that flexible - they're only good for setting up simple NAT.
ASKER
No luckk. I reconfigured the network object properties so that the firewall wasn't performing NAT at the network object level. I then loaded a very simple rule granting my machine full access through the firewall but without creating a NAT rule of any kind for my machine. No response to a ping, which is what I was expecting. I then modified my machine's settings so that it hid behind the firewall's external IP. As soon as I loaded the firewall policy I got a response to pings.
Finally, I set up a static NAT entry for my machine, rather than dynamic and modified the routing table on the server so that it knew to direct traffic destined for the address in question back to my machine. Nothing.
If I do the same for a machine with an address on our DMZ, it works.
I heard somewhere that Firewall-1 needs to be told that it is to perform Proxy Arp for machines behind each interface.
Finally, I set up a static NAT entry for my machine, rather than dynamic and modified the routing table on the server so that it knew to direct traffic destined for the address in question back to my machine. Nothing.
If I do the same for a machine with an address on our DMZ, it works.
I heard somewhere that Firewall-1 needs to be told that it is to perform Proxy Arp for machines behind each interface.
Yes - you do need proxy arp for static NAT.
Under NT, you do this by modifying the local.arp file -
http://www.phoneboy.com/faq/0008.html
Under NT, you do this by modifying the local.arp file -
http://www.phoneboy.com/faq/0008.html
ASKER
Still no luck. I found the local.arp file and it didn't have an entry for the static mapping I wanted to create.
However, I added this line and modified the firewall objects and ruleset so that there wasn't a dynamic NAT rule causing a problem. However, as soon as I assign a static NAT mapping to my machine it cannot longer access the internet.
My belief is that there is something wrong with the installation of Firewall-1 on this machine. I started working at this company 4 months ago and the firewall wasn't configured properly then and still behaves erratically at times.
If you can think of anything else let me know, otherwise I'll award you the points for your help and sit and wait for our new Firebox :)
However, I added this line and modified the firewall objects and ruleset so that there wasn't a dynamic NAT rule causing a problem. However, as soon as I assign a static NAT mapping to my machine it cannot longer access the internet.
My belief is that there is something wrong with the installation of Firewall-1 on this machine. I started working at this company 4 months ago and the firewall wasn't configured properly then and still behaves erratically at times.
If you can think of anything else let me know, otherwise I'll award you the points for your help and sit and wait for our new Firebox :)
Three steps to set up static NAT -
External fw address - 20.20.20.20
External address of host - 20.20.20.21
Internal address of host - 192.168.1.1
1) Proxy ARP
This means the external interface of the firewall will reply to ARP requests for the external address of your host object.
2) Static one to one route
This means that when the firewall receives packets destined for the IP address that it proxies ARP for, it will route them directly to the internal host.
eg - route add 20.20.20.21 mask 255.255.255.255 192.168.1.1
3) 2 firewalls rule to do the NAT
If you use an automatic static NAT rule, it will show you how to do it, and what rules you need to manually create so you can shift them around.
As a general rule, during troubleshooting, make sure that you log everything so you can see what's going wrong.
Run 'fw ver' - I'm curious as to what version you're running. 4.0 ? 4.1 ?
There are various bugs to take into consideration.
Also - 4.1 support expires at the end of the year, but if you've got software subscription in place, the upgrade to Check Point NG is free.
NG is better, faster, and easier to use.
External fw address - 20.20.20.20
External address of host - 20.20.20.21
Internal address of host - 192.168.1.1
1) Proxy ARP
This means the external interface of the firewall will reply to ARP requests for the external address of your host object.
2) Static one to one route
This means that when the firewall receives packets destined for the IP address that it proxies ARP for, it will route them directly to the internal host.
eg - route add 20.20.20.21 mask 255.255.255.255 192.168.1.1
3) 2 firewalls rule to do the NAT
If you use an automatic static NAT rule, it will show you how to do it, and what rules you need to manually create so you can shift them around.
As a general rule, during troubleshooting, make sure that you log everything so you can see what's going wrong.
Run 'fw ver' - I'm curious as to what version you're running. 4.0 ? 4.1 ?
There are various bugs to take into consideration.
Also - 4.1 support expires at the end of the year, but if you've got software subscription in place, the upgrade to Check Point NG is free.
NG is better, faster, and easier to use.
ASKER
Checkpoint VPN-1 and FIrewall-1 version 4.0 build 4031 (VPN). I know it's old and if not already so, soon to be unsupported.
The reason I think there is something instrinsically wrong with the firewall is that I've followed the steps above and they work perfectly for a machine on the service network. Now surely I simply need to alter 1)the internal address under the network object properties and the route entry to move the object to the trusted interface. However, the machine simply cannot talk.
If you set up a rule to allow inbound access and do an arp -c you'll see the firewall external NIC MAC address (i.e. it's performing ARP proxy correctly). If you move the machine to thetrusted interface, the firewall simply will not perform ARP Proxy.
I'm sorely tempted to say f**k it. The firewall hasn't been built properly and the MD has all but agreed to allowing us to replace it. Checkpoint also want to charge us £7500 to upgrade it to the latest version. We can get a Firebox 4500 for that and have a spare powerful server for use elsewhere.
The reason I think there is something instrinsically wrong with the firewall is that I've followed the steps above and they work perfectly for a machine on the service network. Now surely I simply need to alter 1)the internal address under the network object properties and the route entry to move the object to the trusted interface. However, the machine simply cannot talk.
If you set up a rule to allow inbound access and do an arp -c you'll see the firewall external NIC MAC address (i.e. it's performing ARP proxy correctly). If you move the machine to thetrusted interface, the firewall simply will not perform ARP Proxy.
I'm sorely tempted to say f**k it. The firewall hasn't been built properly and the MD has all but agreed to allowing us to replace it. Checkpoint also want to charge us £7500 to upgrade it to the latest version. We can get a Firebox 4500 for that and have a spare powerful server for use elsewhere.
£7500 for an upgrade ?
You should be able to back date software subscription, rather than having to buy the whole new product. Check with your suppliers, or I could check if you send me the certificate key + a letterheaded fax saying you give me permission to look at your license records.
Fireboxes do look nice, mind you - I saw some at Infosec.
Otherwise, NT 4 SP6a, Check Point 4.1 SP5 definitely works !
You should be able to back date software subscription, rather than having to buy the whole new product. Check with your suppliers, or I could check if you send me the certificate key + a letterheaded fax saying you give me permission to look at your license records.
Fireboxes do look nice, mind you - I saw some at Infosec.
Otherwise, NT 4 SP6a, Check Point 4.1 SP5 definitely works !
ASKER
Fireboxes work very nicely too :)
They're dead easy to upgrade and version 5 SP1 makes it a really good, flexible product now that they've finally sorted out some of the NATting issues that plagued 4.6x.
In fact the only problem I have with the firebox relates to the fact you have to reboot the system whenever you make a change to the ruleset. Still it takes only a few seconds.
To be honest, I'd rather drop Firewall-1 ASAP. I know where I stand with Watchguard and I have big plans with regards to VPN connectivity for remote users and offices that the Firebox figures in.
They're dead easy to upgrade and version 5 SP1 makes it a really good, flexible product now that they've finally sorted out some of the NATting issues that plagued 4.6x.
In fact the only problem I have with the firebox relates to the fact you have to reboot the system whenever you make a change to the ruleset. Still it takes only a few seconds.
To be honest, I'd rather drop Firewall-1 ASAP. I know where I stand with Watchguard and I have big plans with regards to VPN connectivity for remote users and offices that the Firebox figures in.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Firebox offer a range of appliances - the smallest being a SoHo box with a limit of 50 users. They also offer a mobile VPN client which enables you to up the security from a client from 56-bit pptp up to 168-bit l2tp which is about £30 per user (not much). Firebox to firebox is automatically at the higher level.
I know the Firebox is a good product. It costs the same as the Checkpoint software, which means we get a Dell server back for use elsewhere, it also features high availability options with automatic failover.
I know the Firebox is a good product. It costs the same as the Checkpoint software, which means we get a Dell server back for use elsewhere, it also features high availability options with automatic failover.
If so, you'll need to put an 'anti-NAT' rule in for this particular host to stop it being hide NATted by the generic rule, and make sure this goes before the hide NAT rule.
Automatic NAT rules won't work with this - you'll need to recreate them all manually.