https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6197#M4090 <HTML><HEAD></HEAD><BODY><P>My question is certainly easy to answer, but I cannot find the answer myself. I am not a starter with VSEC, and also not in AWS, but nevertheless it seems to be a newbee question.</P><P></P><P>Here is what we have: We have a VSEC installed in an AWS VPC. The VPC has several subnets. VSEC has interfaces in two of them:</P><P>- one public subnet - route table has the default route to the IGW - this is VSECs eth0</P><P>- on private subnet - route table has the default route to the ENI of the VSEC in this subnet -&nbsp; this is VSECs eth1</P><P>All Security Groups and all NACLs allow any traffic.</P><P>VSECs setting for Source/Destination Check is "disabled".</P><P>VSEC is connected to our corporate network using VPN, which is running well. We can reach the VSECs IP-address in the private subnet from on-premise.</P><P></P><P>We additionally have an EC2 instance in the private subnet running an AWS Linux.</P><P></P><P>We try to reach this EC2 from on-premise without success. We see the packets run from on-premise via VSEC, which allows the traffic, and also see the traffic leaving VSEC on the correct interface eth1. But we do never see reply packets from EC2.</P><P></P><P>We also try to reach on-premis from EC2. Here we never see any packet arriving at the VSEC.</P><P></P><P>Connecting from VSEC to EC2 directly and vice versa is working well.</P><P></P><P>Does anybody have any ideas what I can check additionally?</P><P></P><P>Thanks in advance. Matthias Hoppe</P></BODY></HTML> Mon, 11 Sep 2017 11:54:38 GMT Matthias_Hoppe 2017-09-11T11:54:38Z https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6197#M4090 <HTML><HEAD></HEAD><BODY><P>My question is certainly easy to answer, but I cannot find the answer myself. I am not a starter with VSEC, and also not in AWS, but nevertheless it seems to be a newbee question.</P><P></P><P>Here is what we have: We have a VSEC installed in an AWS VPC. The VPC has several subnets. VSEC has interfaces in two of them:</P><P>- one public subnet - route table has the default route to the IGW - this is VSECs eth0</P><P>- on private subnet - route table has the default route to the ENI of the VSEC in this subnet -&nbsp; this is VSECs eth1</P><P>All Security Groups and all NACLs allow any traffic.</P><P>VSECs setting for Source/Destination Check is "disabled".</P><P>VSEC is connected to our corporate network using VPN, which is running well. We can reach the VSECs IP-address in the private subnet from on-premise.</P><P></P><P>We additionally have an EC2 instance in the private subnet running an AWS Linux.</P><P></P><P>We try to reach this EC2 from on-premise without success. We see the packets run from on-premise via VSEC, which allows the traffic, and also see the traffic leaving VSEC on the correct interface eth1. But we do never see reply packets from EC2.</P><P></P><P>We also try to reach on-premis from EC2. Here we never see any packet arriving at the VSEC.</P><P></P><P>Connecting from VSEC to EC2 directly and vice versa is working well.</P><P></P><P>Does anybody have any ideas what I can check additionally?</P><P></P><P>Thanks in advance. Matthias Hoppe</P></BODY></HTML> Mon, 11 Sep 2017 11:54:38 GMT https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6197#M4090 Matthias_Hoppe 2017-09-11T11:54:38Z https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6198#M4091 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 11.5pt; color: #3d3d3d;">Hi!, Please verify the route table associated with&nbsp;</SPAN><SPAN style="font-size: 11.5pt; color: #333333; background: white;"><SPAN>private subnet running an AWS Linux, from where you are trying to reach on&nbsp;on-premise network.</SPAN> On-premise network should be pointed towards vSec eth1 interface.</SPAN></P><P><BR /></P></BODY></HTML> Tue, 12 Sep 2017 08:12:02 GMT https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6198#M4091 Naveen_Kumar 2017-09-12T08:12:02Z https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6199#M4092 <HTML><HEAD></HEAD><BODY><P>Hi Naveen, thank you for your valuable answer. I think I already mentioned, that the route table is correct ("on private subnet - route table has the default route to the ENI of the VSEC in this subnet -&nbsp; this is VSECs eth1")</P></BODY></HTML> Wed, 13 Sep 2017 07:52:12 GMT https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6199#M4092 Matthias_Hoppe 2017-09-13T07:52:12Z https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6200#M4093 <HTML><HEAD></HEAD><BODY><P>Hi guys, just yesterday late afternoon, I found the solution. I was not aware that "Source/Destination Check" cat be set not only for the EC2 but also for every single ENI on that EC2. And for the second interface (eth1) it was set to "True". Having disabled this, everything worked perfectly well.</P><P>Sorry for having bothered you with this question. I assumed that there was only one tiny setting missing but could not find it for some time...</P></BODY></HTML> Wed, 13 Sep 2017 07:56:04 GMT https://community.checkpoint.com/t5/Cloud-Firewall/VSEC-AWS-traffic-to-from-local-subnet/m-p/6200#M4093 Matthias_Hoppe 2017-09-13T07:56:04Z