topic Re: I can ping but I can't browse - vpn and proxy check point in General Topics

I can ping but I can't browse - vpn and proxy check point

Kadu_Lincoln — Fri, 01 Dec 2017 12:09:30 GMT

Hello everyone

I'm having some issues using the Check Point Gateway as a proxy when I'm using the check point client VPN.

Scenario is as follows: my gateway is configured as a proxy. Recently I activated VPN functionality. The vpn works normally, however, I can not navigate if I use the proxy check point but I can ping any site.

I made a test connected in another VPN that gives access to the same networks, I used the Check Point proxy again and the access was allowed or denied according to my ACLs and I can see it in my logs.

is there any limitation on using the gateway as vpn and proxy or should I make some configuration?

Thanks!

Re: I can ping but I can't browse - vpn and proxy check point

Vladimir — Fri, 01 Dec 2017 19:27:24 GMT

Plea specify the version of the Check Point Management and gateways, if you have proxy configured in transparent or explicit mode, if you have defined the interface for the proxy and if you are using .pac files on your VPN clients.

Additionally, please clarify what kind of VPN are we talking about: SSL or the IPSec and if second, what VPN software client and version is in use.

Re: I can ping but I can't browse - vpn and proxy check point

Kadu_Lincoln — Sun, 03 Dec 2017 22:51:47 GMT

Thanks for your answer, Vladimir!

I'm using R80.10 in both: Mangament and gateway. Proxy is configured in Non Transparent mode. I did not define an interface for the proxy and in this firt moment I'm not using .pac file on VPN client.

I'm using IPSec with Check Point Endpoint Security E80.70

Re: I can ping but I can't browse - vpn and proxy check point

Vladimir — Mon, 04 Dec 2017 19:09:56 GMT

Kadu,

Please check if the VPN tunneling is enabled on your EndPoint Security clients, else you are looking at the split tunnel scenario, where not all traffic is being sent to the gateways.

Since you have mentioned that you can ping all the sites, (I presume from the client), try traceroute from the client to determine if your ICMP traffic is going over the VPN, or if it is going directly via local gateway of the remote client.

Additionally, it is a good idea to determine, using nslookup, where does the DNS resolution happening, locally or via VPN.

Next, confirm that you are offering "Office Mode" to remote users.

If yes, check the IP Pool that is being used for address allocation.

Make sure that you have a rule allowing the IP pool to access Internet and that it is being NATed on its way out.

You may also check "Optional Parameters" in the "Office Mode" to see what DNS servers are defined for remote clients.

Cheers,

Vladimir

Re: I can ping but I can't browse - vpn and proxy check point

Frederico_Linco — Tue, 05 Dec 2017 23:26:29 GMT

Vladimir, is this option you referred to (VPN tunneling)? How can I change it?

My ICMP traffic is going directly via local gateway of my remote client.

DNS resolution is happening via VPN normally.

I'm offering "Office Mode" to remote users.

Any idea?

Thanks for your time!

Re: I can ping but I can't browse - vpn and proxy check point

Vladimir — Wed, 06 Dec 2017 01:57:00 GMT

If you are using a simple SecuRemote, you will not be able to change this:

If you are using a full EndPoint security, this should work:

Provided the rules are in place to allow it.

Cheers,

Vladimir