F5 BIG-IP icon   F5 BIG-IP – Apply SNAT to client subnet or IP



In certain scenarios it can be interesting or necessary to apply SNAT only to certain client IPs when accesing a virtual server to  f.e. avoid assymetric routes, when the server gateway is not the F5… (take a look at this link for more examples).

These are the steps (im using BIG IP v13)…

Create a SNAT pool

I prefer the … Read more

Checkpoint   Checkpoint – dropped Reason: UDP packet that belongs to an old session



Problem

Last week I came across a DHCP problem. Devices from certain VLAN were not getting DHCP assigned IP.

Even though firewall policy should have accepted those packets, tcpdump showed Checkpoint gateway was not forwarding them to the destination.

To capture DHCP traffic:

# tcpdump -n -i <interface> port 67 or port 68 -e

Incoming interface DHCP tcpdump:

# tcpdump 
Read more

Windows   Windows – Add secondary IP addresses to interface



Sometimes it is neccesary to configure a network interface to listen on more than one IP (for example, web servers containing multiple SSL certificates…)
Add secondary IP addresses to interface

After adding the new secondary IPs, If not explicitly avoided, outgoing traffic can be generated also by these instead of only by the primary. These can lead to connection errors (for example firewall receiving unexpected Read more

Checkpoint   Checkpoint – Hide NAT vs Static NAT



This post tries to be a simple explanation of the Hide NAT and Static NAT concepts.
Given the following simple company network let's see how this NAT types could fit in this scenario:

Hide Static NAT example scenario

  • We need the web server to be published, so it needs to be accesible from the Internet
  • We need all the workstations to be able to browse
Read more