https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98713#M10340 <P>If it’s from a specific IP in the encryption domain,&nbsp;<BR />it sounds like a bug.<BR />You might want to engage with the TAC.</P> Sat, 10 Oct 2020 15:16:44 GMT PhoneBoy 2020-10-10T15:16:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98397#M10337 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I am struggling with routing external incoming traffic that is coming from the External Interface via a VPN tunnel?</P><P>The traffic flow should be:</P><P>External IP --&gt; External GW published IP&nbsp; --&gt; Static NAT to internal dst IP --&gt; VPN Tunnel --&gt; dst&nbsp;</P><P>&nbsp;</P><P>To explain shortly - incoming traffic from external IP is hitting the GW published IP (via Proxy ARP) and NATed to an internal address which should be routed via the VPN.</P><P>I added the External IP address to the VPN domain but still the Traffic is not routed over the VPN but going out back via the external interface&nbsp;</P><P>There is a static NAT to translate the external dst IP address to the Internal dst IP address which should go to the VPN&nbsp;</P><P>External IP --&gt; External GW&nbsp; IP&nbsp;</P><P>External IP --&gt; Internal dst IP&nbsp;&nbsp;</P><P>however the traffic goes back via the External Interface&nbsp;</P><P>Any SK or a idea how to tackle this issue?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Oct 2020 10:39:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98397#M10337 Shahar_Grober 2020-10-07T10:39:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98690#M10338 <P>The decision to encrypt is based on the source IP being in the encryption domain, which I'm guessing is not the case here.<BR />Perhaps with a route-based VPN and a null encryption domain, you could make this work.</P> Fri, 09 Oct 2020 23:19:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98690#M10338 PhoneBoy 2020-10-09T23:19:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98698#M10339 <P>Hi PB,&nbsp;</P><P>The traffic is coming from external interface and although I added the External Incoming IP to the VPN domain it is still not routed via the tunnel. I guess the VPN topology doesn't include external address for a reason (or a bug in the VPN topology calculation). I tried to find any SK about routing external traffic via internal VPN but couldn't find anything useful</P><P>I was trying to avoid route-based VPN but I guess this is the only way so I will have a look at it&nbsp;</P><P>Thanks for your answer&nbsp;</P><P>&nbsp;</P> Sat, 10 Oct 2020 10:28:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98698#M10339 Shahar_Grober 2020-10-10T10:28:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98713#M10340 <P>If it’s from a specific IP in the encryption domain,&nbsp;<BR />it sounds like a bug.<BR />You might want to engage with the TAC.</P> Sat, 10 Oct 2020 15:16:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/98713#M10340 PhoneBoy 2020-10-10T15:16:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/127951#M18585 <P>Hello Shahar,</P><P>Did you solved this by using route-based VPN or did you still used domain-based for this?</P><P>Tia</P><P>Lesley</P> Wed, 25 Aug 2021 09:54:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Incoming-external-traffic-over-VPN/m-p/127951#M18585 Wille010 2021-08-25T09:54:58Z