How To Troubleshoot

NAT-related Issues

30 December 2010

 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11843
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).

Revision History
Date

Description

12/29/2010

First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Troubleshoot NAT-related
Issues ).

Contents
Important Information .............................................................................................3
How To Troubleshoot NAT-related Issues ............................................................5
Objective ............................................................................................................. 5
Supported Versions ............................................................................................. 5
Supported OS...................................................................................................... 5
Supported Appliances ......................................................................................... 5
Before You Start .....................................................................................................5
Related Documentation and Assumed Knowledge .............................................. 5
Impact on the Environment and Warnings ........................................................... 5
How Check Point Enforces NAT ............................................................................6
NAT Types .......................................................................................................... 6
Configuration ....................................................................................................... 6
Matching NAT Rules............................................................................................ 6
NAT Configuration Examples: ......................................................................... 7
NAT Troubleshooting Flow ....................................................................................8
Running Kernel Debug and Firewall Monitor ........................................................9
Verifying ..................................................................................................................9

Objective

How To Troubleshoot NAT-related

Issues
Objective
This document explains the steps for troubleshooting NAT in Check Point Security Gateways.

Supported Versions
This document is suitable for every SmartCenter and Security Management server:

NGX R71

NGX R70

NGX

Supported OS

Supported on all platforms

Supported Appliances

Relevant for every appliance and Open server.

For Open servers, please refer to the Hardware Compatibility List in the Check Point public site at:
http://www.checkpoint.com/services/techsupport/hcl/all.html
(http://www.checkpoint.com/services/techsupport/hcl/all.html http://www.checkpoint.com/services/techsupport/hcl/all.html)

Before You Start

Related Documentation and Assumed
Knowledge

sk30557 (http://supportcontent.checkpoint.com/solutions?id=sk30557)

sk41072 (http://supportcontent.checkpoint.com/solutions?id=sk41072)

sk8802 (http://supportcontent.checkpoint.com/solutions?id=sk8802)

Impact on the Environment and Warnings

Kernel debug may cause high CPU usage.

How To Troubleshoot NAT-related Issues

Page 5

NAT Types

How Check Point Enforces NAT

NAT Types

Hide NAT 1 translation. N hosts share a single NAT IP

Implication: Incoming connections are impossible

Static NAT 1:1 translation

Other NAT Types:

IP Pool NAT N:M translation

Port Mapping Translate the service (destination port)

Cluster NAT NAT cluster member IPs to cluster virtual IP

Proxy NAT (Fold/Unfold) change packets of connection so they will reach a proxy (security server)

Configuration
This document only covers Automatic and Manual NAT rules. For information on how to configure IP Pool
NAT please see the FireWall-1 user guide and SecureKnowledge.
Automatic NAT rules defined on the NATed object in the NAT tab.
Manual NAT rules defined directly in the NAT rule base, like security rules.
Priority between NAT rules:

Pre manual rules

Automatic rules

Post manual rules

In addition, inside the automatic rules group - Static rules have higher priority than Hide

Matching NAT Rules

The frewall performs NAT on a packet when it matches the connection on a NAT rule, similar to the
Security Rule base. Both Automatic and Manual NAT rules will create a rule.

When the first packet in the connection enters the firewall, it is first matched againt the Security Rule
base and against the NAT Rule base. The firewall then records the connection and all future packets
which will be matched on that connection will be NATed.

Since the frewall will record the connection from all sides (e.g, if the connection is initiated from X->Y(z),
X is the client, Y is the NATed IP address and z is the internal, real IP address, the connection will also
include z(Y)->X) there is no need to explicitlyconfigure a back connection.

Back connection should only be configured if you want to allow the internal server to match the rule,
when it is the one which initiates the connection. For example, when z will want to open a connection to
X behind IP Y.

By default, Automatic NAT rules will create a back connection as well to allow connections from the
internal address.

How Check Point Enforces NAT

Page 6

Matching NAT Rules

NAT Configuration Examples:

Automatic NAT:
Right click on the object you want to hide and simply select the NAT method and NAT IP address.

Manual NAT:
Add the NAT rule to NAT Rule base in the following manner. Original Packet will indicate how the first
packet in the connection will look like, when it enters the firewall
Translated Packet will indicate how the first packet in the connection will look like when it exits the
firewall to the internal server.
The returning packet on the connection will also be matched on that rule in the same manner; this time
the packet will enter as seen in translated and exit as seen in original (with reversed source and
destination).

The following rule should be added if you plan that traffic will be initiated from Hostx_Internal and will be
Statically NATed behind the IP of Hostx_External. There is no need to add it, if you only want to allow
connection to be initiated to this host and not from it.

How Check Point Enforces NAT

Page 7

Matching NAT Rules

NAT Troubleshooting Flow

SKs appearing in the above flow:

sk30557 (http://supportcontent.checkpoint.com/solutions?id=sk30557)

sk41072 (http://supportcontent.checkpoint.com/solutions?id=sk41072)

sk8802 (http://supportcontent.checkpoint.com/solutions?id=sk8802)

NAT Troubleshooting Flow

Page 8

Matching NAT Rules

Running Kernel Debug and Firewall

Monitor
Warning:

Kernel debug may cause high CPU usage.

Before running the debug make sure the machine is not heavily loaded.
You can verify this using the commands:

top/vmstat - on UNIX-based systems

Task Manager - on Windows-based systems

Disable SecureXL or NOKIA FLOWS before generating the debug.

To run the kernel debug and firewall monitor:

1. From command line run:
fw monitor -e "accept;" o outputfile.cap
If possible you can use the INSPECT syntax to filter the capture. e.g:
# fw monitor e "host(x.x.x.x),accept;" o outputfile.cap
in order to filter for inbound and outbound traffic related to host x.x.x.x.
2. Open another shell and run the following commands:
#
#
#
#

fw
fw
fw
fw

ctl
ctl
ctl
ctl

debug 0
debug -buf 32000
debug -m fw + conn packet nat xlate xltrc
kdebug -T -f > /var/kernel_debug.ctl

3. Replicate the issue.

4. Stop the firewall monitor capture with:
ctrl+ c
5. Stop kernel debug by running:
# fw ctl debug -x

Verifying

Make sure that the problem was replicated while the debug was running.

Contact Check Point support and upload the files for further investigation.

Running Kernel Debug and Firewall Monitor

Page 9