Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Checkpoint Firewall PAT/NAT not working

Posted on 2010-11-16
2
Medium Priority
?
2,172 Views
Last Modified: 2012-05-10
We have a CheckPoint UTM 576 TS appliance running NGX R65 build 19.
We are having a problem getting PAT and manual NAT to work.
We basically need to use a single external (public) IP to support multiple services on multiple internal servers. i.e. FTP, WEB, Email. Three different internal servers - one public IP.

Following advice from other forums, we believe that we have enabled Proxy ARP (how can we check for sure?)
We have added ARP entries for the external address with the MAC of the external interface to the local.arp file.
We have created manual NAT rules as advised by other forums and CP support (quoted below)
----------------
" Basically you would have to create manual NAT rules.  In the Original packet side you would create a new rule at the top with an ANY as the source, the destination object in the destination column,  put what service you want to use, then in the translated packet side for the source, leave it original for the source and then put the host as the destination and leave the service as original.

Then you would have to create the reverse rule for that traffic.  Create a rule beneath that one with this info.  On the Original Packet side put the host in the source field, leave the destination filed as ANY and the same service as you had in the first rule, then on the translated packet side, put the destination in the source field, leave the destination as original and service original.

Now you would have to do the same thing for all the services you want to use for the same destination as separate rules.

Then you would have to create a rule in the regular rule base for the traffic to pass."
--------------------
Still nothing works.
Other services that are NATed  1-to-1 work fine.
We are working in a test environment during the week and test changes and new ideas live on the weekend, after hours.
Any help is appreciated.
Thanks,


0
Comment
Question by:tryfwdtx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
grimkin earned 1000 total points
ID: 34153970
Hi,to test which ips you are proxy arping for, you can use "fw ctl arp".

Create a node to represent your external public IP, e.g. external_server and one to represent your internal IP, e.g. internal_server. This example is for PATing SMTP:

The NAT rules should then read:

Original Packet:
Src: ANY
Dst: external_server
Service: SMTP

Translated Packet:
Src: Original
Dst: internal_server
Service: SMTP

====================================

Original Packet:
Src: internal_server
Dst: ANY
Service: SMTP

Translated Packet:
Src: external_server
Dst: Original
Service: SMTP


HTH

0
 

Author Comment

by:tryfwdtx
ID: 34251251
Thanks grimkin,
It took us a while to get to test in a live environment.
In addition, we also had to make manual entries into the local.arp file using the vi editor.
It is finally up and working and as of today we have it in production.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question