[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1502
  • Last Modified:

Checkpoint NAT

Hi,

I have an External IP address provided by my ISP who NAT's to there own internal range i.e. 200.200.200.1 - 10.15.21.16 I am looking to hit an Internal server on my INternal network i.e 172.17.2.1 from the Internet.

I can see traffic hitting my firewall as the destination of 10.15.21.16
any ideas how to get this working ?
0
skywalker101
Asked:
skywalker101
  • 7
  • 6
1 Solution
 
deimarkCommented:
Should be doable here bud.

I see that you have 10.15.21.16 as your external interface on the firewall and that the ISP is natting 200.200.200.1 through to your firewall.

DO you have a requirement to have a static one to one nat, ie you want to have a unique IP address assigned to the internal server on both the public ISP side and the external side 10.15.21.x ?

or do you just want to nat the incoming connections on specific ports to the internal server?  In CP parlance, do you want to have full static nat for inbound and outbound connection or do you just want to apply destination nat, ie traffic to 200.200.200.1 on port 24 (which is natted to your firewall on 10.15.21.16 port 25) is then natted to get sent to the internal server on port 25?

As you do not manage the ISP upstream router for the nat, it may be prudent to do the dest nat where we can create manual nat rules to translate traffic  for specfic ports onto the internal server.

Let me know the version of your CP install and I can attach the nat guide which will help you achieve what you want.
0
 
skywalker101Author Commented:
CP Version NGX R65 on Nokia

I was looking to do a one-one Static NAT for inbound and outbound connections. Although after you reviewing your comments above maybe the best option would be destination NAT ?

I want to NAT connections on http to straight through to the Internal webserver
Public 200.0.0.1 ISP NAT 10.15.21.16 >>>>Internal Server 172.17.2.1 port http
0
 
deimarkCommented:
Hiya bud

I have attached the firewall admin guide which goes into more detail re the differences in NATs and their common usages.

In short though, if the only connections that you want to NAT are "TO" the internal server, then dest nat is for you.  If you want to have all outgoing connection from the internal server being natted using the SAME address as the incoming nat, then static nat is the one you want.

Hope this makes it a lil clearer for you.
CheckPoint-R65-Firewall-SmartDef.pdf
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
deimarkCommented:
Sorry, just to add as well, for your web sever, if you dont want to initiate connections from the web server to the internet, or dont care what the connections from the web server to the internet are natted behind, then dest nat is fine for that
0
 
skywalker101Author Commented:
Hi,

Just want to initiate from the Internet - Web Server not concerned about the web server to internet.  Had a look at the attached doc and there seesm to be two types of NAT. I am not sure how to do the Dest NAT is ths a flavour of Static NAT ?

1.Static (Static NAT translates each private address to a corresponding public address)
2.Hide (Hide NAT allows only connections that originate on the internal network)
0
 
deimarkCommented:
If you have the extra IPs available, then just use the static NAT option and tell the ISP to forward all port 80 traffic to the static nat address you use on the web server object.

Dest nat can be a bit fiddly on occasion is a manual rule creation.
0
 
skywalker101Author Commented:
My ISP will only NAT to there own internal range i.e. 10.15.21.x and I currently do not have any extra IP addresses to play with.
Currently I have configured my external Int configured as 10.15.21.16 which accepts the traffic on the ISP Nat'd address.

I think the only option is dest nat, when say manual nat is on the Nat tab within the smart dashboard rather than on the network obj ?

Have you any pointers in configuring this type of nat i.e. Orginal packet source dest
0
 
skywalker101Author Commented:
Hi,

I have got the Static NAT working, what I want to do is to NAT from any external address to the Internal Web Server. currently I cam only get it working in a 1-1

Orginal Packet                            Translated Packet
Source      Destination             Source                Destination
public IP     10.15.21.16           172.17.40.10       172.17.2.1
0
 
deimarkCommented:
Are the rules you mention above created due to the automatic process or are they created manuallt?

Normally, I would say that the translated packet whould have an untranslated source, ie it would keep the external IP of the client the same and not apply any translation.

Normally, the automatic nat rules created when we use static nat are sufficient here, so keen to find out why there is a translation on the source address from the internet
0
 
skywalker101Author Commented:
THe rules added were manual as this was the only way I could get it working, when I removed the source for the untranslated it work not work.
also when I removed the source from the untrans packet I had to move the source from translation packet for the policy to install.
0
 
deimarkCommented:
OK, I will give an example on how I would do this and use fictitios IPs here, and we will then be able to transfer that onto your set up.

Set up will be as follows:

WWW  <->   ISP Router  <-->  CP Firewall  <-->  LAN

IPs

ISP Router WAN IP  1.1.1.1
ISP Router inside IP  10.1.1.1/24
CP FW External IP 10.1.1.254/24
CP LAN IP  192.168.1.1/24

Web Server 192.168.1.22

The ISP only has 1 public IP of 1.1.1.1 and will NAT all outgoing connections from the CP FW to 1.1.1.1
The ISP will also NAT all incoming traffic for 1.1.1.1 to the CP FW and maintain the incoming port.  ie traffic to 1.1.1.1:25 is sent to 10.1.1.254:25

So, for us to NAT the incoming traffic on port 80 to the web server, we can do it one of 2 ways.

1.  Automatic static NAT
2.  Manual dest nat rules

Details:

1.  To action this we must ensure that the ISP is definitely maintaining the destination port of 80!!!  Also, as this is a private range, we should be able to get more IPs from the ISP, this is key to making this work.

So, in this example, we get 10.1.1.200-10.1.1.254 as extra IPs.  We will ask the ISP to transfer all port 80 traffic that comes into 1.1.1.1 and translate to 10.1.1.250

The ISP will recieve traffic for 1.1.1.1:80 and forward onto 10.1.1.250:80

On the CP FW, create a host object with IP of 192.168.1.22 and add a static NAT of 10.1.1.250

This automatic nat will create 2 nat rules that will do what we need, ie translate all incoming traffic for 10.1.1.250 to the web server, and all outgoing traffic from the web server will be translated to 10.1.1.250

Option 2

If we cannot get any other IPs from teh ISP, we are left with the manual rule creation here.

In this case, the ISP will send all traffic for 1.1.1.1 (no matter the port) to the CP FW of 10.1.1.254.

We can then create destination nat rule manually as follows:


Untranslated packet                                                           Translated packet
Src <Public>  Dst  10.1.1.1 (CP FW) Service 80                Src unchanged    Dst 192.168.1.22 Service unchanged

This will ensure that all traffic that hits the firewall on port 80 is then translated to the web server and forwarded on.  As this is dest nat, no other rules are needed and only applies to incoming traffic.


Of course, the easiest and best way ahead is to get your ISP to give you public addresses and allow you to manage all your own NAT and connections, but I know that some ISPs can get anal and very unhelpful in this respect.

Does this make any more sense to you?
0
 
skywalker101Author Commented:
I got it working after running a packet capture on the webserver there was no route back to the source
0
 
deimarkCommented:
Aha, that makes sense then. :P

Glad to hear its working now.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now