May 13th, 2002 11:25 AM
Static Table NAT not working in Checkpoint
I have a problem and I need all of your expert advice. I have a checkpoint and I have installed SP2 on it. The problem is that my company wants to install a Static table NAT on their Network. I can't seem to ping the network out of my company eventhough I have set the 3 routing table. Any ideas ppl? Thanking you in advance
May 13th, 2002 08:01 PM
To be quite honest, I am not sure what you are talking about, because you have not given enough detail. For one, what OS are you using?
I am assuming that your problem is that you probably forgot to set either static routes or static Proxy ARP's on the firewall. Each NAT should have a static route somewhere at the OS level. Also static ARP entries need to be added and this is different depending on the OS. If it is Nokia IPSO, this can be done via Voyager, if it is Windows NT 4, you have to modify the local.arp file, etc. Please provide me with much more detail, and I will try to help.
May 14th, 2002 02:42 AM
I have set the local.arp, route add -p, And also on the object properties. NAT Set to static NAT and it's on a NT 4 Server platform. Currently, this firewall is supposed to work together with a Cisco VPN server. I'm not too sure about the nature of the VPN Server but what I want is to be able to do a static NAT for the VPN server so that it is accessible from the Internet.
thanks for your help in advance.
May 14th, 2002 03:33 PM
Have you verified that your ARP's are working corectly? Go to a device outside your Checkpoint (maybe a cisco router) and view the arp cache ('sh arp' if it is Cisco) to make sure that you are in fact getting an ARP and that it is not incomplete. Also, are you sure the format of the static route is correct.
It should be 'route add -p <public IP> mask <netmask> <internal IP>
Also have you checked the obvious stuf, like having a rule in your rulebase to allow traffic to your VPN device. I would recommend leaving ICMP open at this point for troubleshooting. Also make sure the firewall itself can ping the VPN device. If all else fails, disable the 'automatic' static NAT, and go to the address translation tab and manually create entries for the xlated object. Finally, it might be an issue with antispoofing. If you have antispoofing enabled on the firewall (let me know if you don't know how to check), this will definately cause problems. Look at your log viewer when you attempt connections to the VPN device, and see what the logs tell you. If it is rule 0 that is causing the drops, it could be your antispoofing configuration. let me know what it says in your log files....and if there is nothing in the logs, you more than likely have some type of connectivity, ARP or routing issue.
Feel free to email me directly if you'd like.
Hope this helps
May 14th, 2002 07:02 PM
follow iNViCTuS advice and while on your outside the firewall node, check to make sure you do not have a rule/filter etc on that unit which might disallow your icmp traffic.
Further - what does the log viewer show when you try from inside the firewall. If it is not rule 0 as mentioned, perhaps another rule is not allowing it so check your rules. Ensure if you have a lan side gateway it has the next hop (FW) correctly in its tables.
May 15th, 2002 03:01 AM
thanks for the advice..
I have tried 'route add -p <public IP> mask <internal IP>' is it any different than 'route add -p <public IP> mask <netmask> <internal IP>'? At the beggining I was getting incomplete MAC address but then I managed to solve that. but the Static Route is still not working. I have also tried disabling the anti-spoofing while configuring but then still does not work. And as for the logs, It's 4 Gig(taking up nearly the available hard disk space). wanted to delete off the logs but the sys. admin said he is not able to cause of some internal auditing issues.. Any way of splitting up the logs and viewing it?
I have also tried to ping the VPN device(Cisco) from the Firewall, there is a reply.
I'm not too sure of the VPN whether ICMP is open or not. but I'll ask and try it.
Will get back to you on this. Thanks for the advice people.
May 15th, 2002 03:53 AM
If memory serves, you may also have to add-in static MACs as well for the static NAT...
(and, as other people have pointed out already... check if ICMP is allowed through the firewall... and watch the log viewer... closely)
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
May 16th, 2002 02:03 PM
'route add -p <public IP> mask <internal IP>' is not the correct syntax because you need to include the 32-bit netmask for a host route. For example;
server public IP = 22.214.171.124
Internal/LAN IP = 10.0.0.10
'route add -p 126.96.36.199 mask 255.255.255.255 10.0.0.10'
Once you have that done, try 'route print' to verify the route is there. As long as the ARP cache on your router shows the correct IP, the router knows where to send the packets, but without the correct route, the firewall itself will not know how to send the translated packet to the internal host....