NAT and anti-spoofing

[bard9]

I'm having a problem with NAT.

I have one workstation device defined on my firewall just for testing purposes (this is my initial installation).
I have this device set to NAT to the address on the external interface of the Firewall.

When I try to access an external IP, The packet is accepted by checkpoint and correctly nated. This is immediately followed by several drops of icmp packets with the source being 127.0.0.1 (or the loopback). The reason is logged as "local interface address spoofing".

I have tried both static and hide nating as outlined in my coursebook. I have tried every security setting on my firewall interfaces. I have also reviewed my route table.
(I can ping from the checkpoint firewall to devices on all sides of the interfaces)

I thought I understood this well, but can't seem to alleviate this problem. I can't access any external IP addresses.

I am running checkpoint on AIX 4.3

Any help anyone can provide would be greatly appreciated.

Thanks.

 

[wilz]

bard9
You need to setup a static host route and a static ARP so the firewall can answer with its mac address and route the packet correctly.
wilz


Note: You can not use the firewalls external IP address for you workstations NAT Address. You will need another routable IP address from your ISP.

Example

Firewalls External Interface
185.185.50.1 MAC Address 00-XX-XX-XX-XX-XX
Workstation Object 1 < Routable >
185.185.50.50
Workstation Object 2 < RFC Address >
192.168.50.50 STATIC NAT to 185.185.50.50

Route 185.185.50.50/32 via 192.168.50.50/32
Static ARP 192.168.50.50 00-XX-XX-XX-XX-XX

Now when a packets is dst for 185.185.50.50 the firewall will answer with its MAC address and route the packet to 192.168.50.50

 

[bard9]

Actually, I am trying to use hide NAT and hide my internal network behind the firewall's external nic. Does this feature not work? If using a static NAT, then yes I would need a different IP.

The outgoing packets do NAT correctly, it seems that the incoming or reply packets from the world are dropped with the source being 127.0.0.1 and the message &quot;local interface spoofing&quot;.

Using the following example:

Internal network: 192.168.x.x Hide NAT=185.185.50.1 (the firewall's exetrnal IP)

Workstation1: 192.168.50.50 will be accepted outgoing and nated to 185.185.50.1. The source here is correctly indicated as 192.168.50.50.

A return packet, source being 127.0.0.1 will be dropped as a spoofed address. (a return packet indicated by a left arrow in my log. . .am I reading this wrong?)

Another thing that puzzles me is the origin of all packets is 185.185.50.1

 

[Piloria]

i would also recoment using a second external ip address for your NAT.
e.g. Hide NAT=185.185.50.2
this will enable you to seperate firewall trafic from internal network trafic

 

[bard9]

I did try that. I used a different IP for both a hide and a static nat. I put this new IP in my route table. It did nothing to correct the problem. Exact same error message.

 

[angelo990]

This might work: define HIDE nAt on the internal_network object as opposed to the firewall object.

I have done it on nokia boxes and it works for me

 

[red7]

It sounds like you are doing everything correctly. I have a similar setup myself. Just curious. Do you have anything setup in your firewalled object/interfaces tab/edit button/security tab? This is where you setup your &quot;anti-spoofing&quot; settings. If this is setup incorrectly, difficulty getting to an external address can be a symptom. If you do have it setup, just for testing purposes, turn it off. After your finished, if this is the problem, you can always reconfigure it and turn it back on. Let me know if this was helpful. I have had some anti-spoofing dilemmas in the past that sound similar to your problem.