how-to-troubleshoot-nat-related-issues.pdf
TRANSCRIPT
30 December 2010
How To Troubleshoot NAT-related Issues
© 2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11843
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
12/29/2010 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on How To Troubleshoot NAT-related Issues ).
Contents
Important Information ............................................................................................. 3 How To Troubleshoot NAT-related Issues ............................................................ 5
Objective ............................................................................................................. 5 Supported Versions ............................................................................................. 5 Supported OS ...................................................................................................... 5 Supported Appliances ......................................................................................... 5
Before You Start ..................................................................................................... 5 Related Documentation and Assumed Knowledge .............................................. 5 Impact on the Environment and Warnings ........................................................... 5
How Check Point Enforces NAT ............................................................................ 6 NAT Types .......................................................................................................... 6 Configuration ....................................................................................................... 6 Matching NAT Rules ............................................................................................ 6
NAT Configuration Examples: ......................................................................... 7 NAT Troubleshooting Flow .................................................................................... 8 Running Kernel Debug and Firewall Monitor ........................................................ 9 Verifying .................................................................................................................. 9
Objective
How To Troubleshoot NAT-related Issues Page 5
How To Troubleshoot NAT-related Issues
Objective This document explains the steps for troubleshooting NAT in Check Point Security Gateways.
Supported Versions This document is suitable for every SmartCenter and Security Management server:
NGX R71
NGX R70
NGX
Supported OS Supported on all platforms
Supported Appliances Relevant for every appliance and Open server.
For Open servers, please refer to the Hardware Compatibility List in the Check Point public site at: http://www.checkpoint.com/services/techsupport/hcl/all.html (http://www.checkpoint.com/services/techsupport/hcl/all.html - http://www.checkpoint.com/services/techsupport/hcl/all.html)
Before You Start
Related Documentation and Assumed Knowledge
sk30557 (http://supportcontent.checkpoint.com/solutions?id=sk30557)
sk41072 (http://supportcontent.checkpoint.com/solutions?id=sk41072)
sk8802 (http://supportcontent.checkpoint.com/solutions?id=sk8802)
Impact on the Environment and Warnings Kernel debug may cause high CPU usage.
NAT Types
How Check Point Enforces NAT Page 6
How Check Point Enforces NAT
NAT Types Hide NAT – 1 translation. N hosts share a single NAT IP
Implication: Incoming connections are impossible
Static NAT – 1:1 translation
Other NAT Types:
IP Pool NAT – N:M translation
Port Mapping – Translate the service (destination port)
Cluster NAT – NAT cluster member IPs to cluster virtual IP
Proxy NAT (Fold/Unfold) – change packets of connection so they will reach a proxy (security server)
Configuration This document only covers Automatic and Manual NAT rules. For information on how to configure IP Pool NAT please see the FireWall-1 user guide and SecureKnowledge.
Automatic NAT rules – defined on the NATed object in the NAT tab.
Manual NAT rules – defined directly in the NAT rule base, like security rules. Priority between NAT rules:
Pre manual rules
Automatic rules
Post manual rules
In addition, inside the automatic rules group - Static rules have higher priority than Hide
Matching NAT Rules The frewall performs NAT on a packet when it matches the connection on a NAT rule, similar to the
Security Rule base. Both Automatic and Manual NAT rules will create a rule.
When the first packet in the connection enters the firewall, it is first matched againt the Security Rule base and against the NAT Rule base. The firewall then records the connection and all future packets which will be matched on that connection will be NATed.
Since the frewall will record the connection from all sides (e.g, if the connection is initiated from X->Y(z), X is the client, Y is the NATed IP address and z is the internal, real IP address, the connection will also include z(Y)->X) there is no need to explicitlyconfigure a back connection.
Back connection should only be configured if you want to allow the internal server to match the rule, when it is the one which initiates the connection. For example, when z will want to open a connection to X behind IP Y.
By default, Automatic NAT rules will create a back connection as well to allow connections from the internal address.
Matching NAT Rules
How Check Point Enforces NAT Page 7
NAT Configuration Examples: Automatic NAT:
Right click on the object you want to hide and simply select the NAT method and NAT IP address.
Manual NAT: Add the NAT rule to NAT Rule base in the following manner. Original Packet will indicate how the first packet in the connection will look like, when it enters the firewall Translated Packet will indicate how the first packet in the connection will look like when it exits the firewall to the internal server. The returning packet on the connection will also be matched on that rule in the same manner; this time the packet will enter as seen in translated and exit as seen in original (with reversed source and destination).
The following rule should be added if you plan that traffic will be initiated from Hostx_Internal and will be Statically NATed behind the IP of Hostx_External. There is no need to add it, if you only want to allow connection to be initiated to this host and not from it.
Matching NAT Rules
NAT Troubleshooting Flow Page 8
NAT Troubleshooting Flow
SKs appearing in the above flow:
sk30557 (http://supportcontent.checkpoint.com/solutions?id=sk30557)
sk41072 (http://supportcontent.checkpoint.com/solutions?id=sk41072)
sk8802 (http://supportcontent.checkpoint.com/solutions?id=sk8802)
Matching NAT Rules
Running Kernel Debug and Firewall Monitor Page 9
Running Kernel Debug and Firewall Monitor
Warning:
Kernel debug may cause high CPU usage. Before running the debug make sure the machine is not heavily loaded. You can verify this using the commands:
top/vmstat - on UNIX-based systems
Task Manager - on Windows-based systems
Disable SecureXL or NOKIA FLOWS before generating the debug.
To run the kernel debug and firewall monitor:
1. From command line run: fw monitor -e "accept;" –o outputfile.cap
If possible you can use the INSPECT syntax to filter the capture. e.g: # fw monitor –e "host(x.x.x.x),accept;" –o outputfile.cap
in order to filter for inbound and outbound traffic related to host x.x.x.x.
2. Open another shell and run the following commands: # fw ctl debug 0 # fw ctl debug -buf 32000 # fw ctl debug -m fw + conn packet nat xlate xltrc # fw ctl kdebug -T -f > /var/kernel_debug.ctl
3. Replicate the issue.
4. Stop the firewall monitor capture with: ctrl+ c
5. Stop kernel debug by running: # fw ctl debug -x
Verifying Make sure that the problem was replicated while the debug was running.
Contact Check Point support and upload the files for further investigation.