topic Save Backupfile to Unix Server through VPN Connection in Firewall and Security Management

Save Backupfile to Unix Server through VPN Connection

Josef_Maier — Wed, 22 Jan 2020 07:43:36 GMT

Hi Checkmates,

i want to configure on the SecurityGateway (Checkpoint Appliance 3100) automatic Backup Job.

The Destination is a central Unixserver in the Headquater by SCP connection through VPN Connection configured on this SecurityGateway.

The SecurityGateway have more Interfaces and also one Interfaces to the Internet with static public IP-Address. This public IP-Address is also the MGMT IP of the Security Gateway.

The Destination BackupServer have a private IP-Adress and is only reachable over the VPN-Connection.

If I start the Backupjob the Backup is not successfully.

If I check in the same time on the Backupserver the connections, then I see, the Gateway comes with the public IP and maybe this is the problem.

My Question is, how to configure the Backupjob that the Securitygateway use another source IP (his private IP not the public MGMT IP-Address.

Re: Save Backupfile to Unix Server through VPN Connection

PhoneBoy — Wed, 22 Jan 2020 19:33:38 GMT

Don't believe that's possible.
Is the remote end of the VPN under your control?
The public IP of the gateway should be part of the encryption domain.

Re: Save Backupfile to Unix Server through VPN Connection

Josef_Maier — Thu, 23 Jan 2020 09:38:38 GMT

Yes, the remote end of the vpn under my Control.
The public IP of the Gateway is not a part of the encryption Domain.

Re: Save Backupfile to Unix Server through VPN Connection

G_W_Albrecht — Thu, 23 Jan 2020 10:21:31 GMT

The public IP of the Gateway is not a part of the encryption Domain - then how should the VPN work for this traffic ? Why not use the local IP instead ?

Re: Save Backupfile to Unix Server through VPN Connection

Josef_Maier — Thu, 23 Jan 2020 13:55:59 GMT

I don't know why… Maybe the Destination ip is the private IP...
hmm… any others an idea?

Re: Save Backupfile to Unix Server through VPN Connection

masher — Thu, 23 Jan 2020 15:03:25 GMT

OpenSSH has the capability to specify the IP address used when transferring scp/sftp.

Since you have CLI access to the appliance try adding running it manually to see if it will connect when using the BindAddress option.

scp -o BindAddress=10.10.10.1 /home/admin/filename user@2.2.2.2:/directory/filename

If that works, then it is possible to add configuration options in /etc/ssh/ssh_config to force the gateway to use the internal interface IP address for SCP for the specific IP destination.