Академический Документы
Профессиональный Документы
Культура Документы
NAT-related Issues
30 December 2010
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11843
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date
Description
12/29/2010
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Troubleshoot NAT-related
Issues ).
Contents
Important Information .............................................................................................3
How To Troubleshoot NAT-related Issues ............................................................5
Objective ............................................................................................................. 5
Supported Versions ............................................................................................. 5
Supported OS...................................................................................................... 5
Supported Appliances ......................................................................................... 5
Before You Start .....................................................................................................5
Related Documentation and Assumed Knowledge .............................................. 5
Impact on the Environment and Warnings ........................................................... 5
How Check Point Enforces NAT ............................................................................6
NAT Types .......................................................................................................... 6
Configuration ....................................................................................................... 6
Matching NAT Rules............................................................................................ 6
NAT Configuration Examples: ......................................................................... 7
NAT Troubleshooting Flow ....................................................................................8
Running Kernel Debug and Firewall Monitor ........................................................9
Verifying ..................................................................................................................9
Objective
Supported Versions
This document is suitable for every SmartCenter and Security Management server:
NGX R71
NGX R70
NGX
Supported OS
Supported Appliances
For Open servers, please refer to the Hardware Compatibility List in the Check Point public site at:
http://www.checkpoint.com/services/techsupport/hcl/all.html
(http://www.checkpoint.com/services/techsupport/hcl/all.html http://www.checkpoint.com/services/techsupport/hcl/all.html)
sk30557 (http://supportcontent.checkpoint.com/solutions?id=sk30557)
sk41072 (http://supportcontent.checkpoint.com/solutions?id=sk41072)
sk8802 (http://supportcontent.checkpoint.com/solutions?id=sk8802)
Page 5
NAT Types
Proxy NAT (Fold/Unfold) change packets of connection so they will reach a proxy (security server)
Configuration
This document only covers Automatic and Manual NAT rules. For information on how to configure IP Pool
NAT please see the FireWall-1 user guide and SecureKnowledge.
Automatic NAT rules defined on the NATed object in the NAT tab.
Manual NAT rules defined directly in the NAT rule base, like security rules.
Priority between NAT rules:
Automatic rules
In addition, inside the automatic rules group - Static rules have higher priority than Hide
The frewall performs NAT on a packet when it matches the connection on a NAT rule, similar to the
Security Rule base. Both Automatic and Manual NAT rules will create a rule.
When the first packet in the connection enters the firewall, it is first matched againt the Security Rule
base and against the NAT Rule base. The firewall then records the connection and all future packets
which will be matched on that connection will be NATed.
Since the frewall will record the connection from all sides (e.g, if the connection is initiated from X->Y(z),
X is the client, Y is the NATed IP address and z is the internal, real IP address, the connection will also
include z(Y)->X) there is no need to explicitlyconfigure a back connection.
Back connection should only be configured if you want to allow the internal server to match the rule,
when it is the one which initiates the connection. For example, when z will want to open a connection to
X behind IP Y.
By default, Automatic NAT rules will create a back connection as well to allow connections from the
internal address.
Page 6
Automatic NAT:
Right click on the object you want to hide and simply select the NAT method and NAT IP address.
Manual NAT:
Add the NAT rule to NAT Rule base in the following manner. Original Packet will indicate how the first
packet in the connection will look like, when it enters the firewall
Translated Packet will indicate how the first packet in the connection will look like when it exits the
firewall to the internal server.
The returning packet on the connection will also be matched on that rule in the same manner; this time
the packet will enter as seen in translated and exit as seen in original (with reversed source and
destination).
The following rule should be added if you plan that traffic will be initiated from Hostx_Internal and will be
Statically NATed behind the IP of Hostx_External. There is no need to add it, if you only want to allow
connection to be initiated to this host and not from it.
Page 7
sk30557 (http://supportcontent.checkpoint.com/solutions?id=sk30557)
sk41072 (http://supportcontent.checkpoint.com/solutions?id=sk41072)
sk8802 (http://supportcontent.checkpoint.com/solutions?id=sk8802)
Page 8
fw
fw
fw
fw
ctl
ctl
ctl
ctl
debug 0
debug -buf 32000
debug -m fw + conn packet nat xlate xltrc
kdebug -T -f > /var/kernel_debug.ctl
Verifying
Make sure that the problem was replicated while the debug was running.
Contact Check Point support and upload the files for further investigation.
Page 9