https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21597#M4008 <HTML><HEAD></HEAD><BODY><P>I got this, and thank. I was able to update the&nbsp;<STRONG class="" style="color: #333333; background-color: inherit; font-size: 14px; padding: 0pt;"><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">$FWDIR/conf/vpn_route.conf&nbsp;</STRONG></STRONG>in&nbsp;<SPAN style="color: #333333;">the Security Management Server</SPAN></P><P>I just noticed from the SmartLog, the traffic is trying to Encrypt to Global Community instead of Asia VPN Community. I want the traffic to be Encrypt/Decrypt in my Center Gateway which is fw-HongKong</P></BODY></HTML> Sun, 06 Jan 2019 13:25:17 GMT Theo 2019-01-06T13:25:17Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21593#M4004 <HTML><HEAD></HEAD><BODY><P style="color: #333333; background-color: #ffffff; border: 0px;">I have a question about Site-Site VPN, and&nbsp;my concern is that the client computers from LAN_A could not access the server from LAN_B (RDP protocol).</P><P style="color: #333333; background-color: #ffffff; border: 0px;">&nbsp;</P><P style="color: #333333; background-color: #ffffff; border: 0px;"><STRONG style="border: 0px; font-weight: bold;">VPN Community</STRONG></P><P style="color: #333333; background-color: #ffffff; border: 0px;">Type: Star</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Name: Asia</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Center Gateways: fw-HongKong</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Satellite&nbsp;Gateways: fw-Indonesia (<STRONG style="border: 0px; font-weight: bold;">LAN_A</STRONG>) and fw-Malaysia&nbsp;<SPAN style="border: 0px; font-weight: inherit;">(<STRONG style="border: 0px; font-weight: bold;">LAN_B</STRONG>)</SPAN></P><P style="color: #333333; background-color: #ffffff; border: 0px;">VPN Routing-&nbsp;<STRONG style="border: 0px; font-weight: bold;">To center and to other satellites through center</STRONG></P><P style="color: #333333; background-color: #ffffff; border: 0px;">&nbsp;</P><P style="color: #333333; background-color: #ffffff; border: 0px;"><STRONG style="border: 0px; font-weight: bold;">fw-HongKong</STRONG></P><P style="color: #333333; background-color: #ffffff; border: 0px;">Gateway: Checkpoint 2200</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Version: R77.30 Build 204</P><P style="color: #333333; background-color: #ffffff; border: 0px;">&nbsp;</P><P style="color: #333333; background-color: #ffffff; border: 0px;"><STRONG>fw-Indonesia</STRONG></P><P style="color: #333333; background-color: #ffffff; border: 0px;">Gateway: Checkpoint 1450</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Version: R77.20</P><P style="color: #333333; background-color: #ffffff; border: 0px;">&nbsp;</P><P style="color: #333333; background-color: #ffffff; border: 0px;"><STRONG>fw-Malaysia</STRONG></P><P style="color: #333333; background-color: #ffffff; border: 0px;">Gateway: Checkpoint 1100</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Version: R77.20</P><P style="color: #333333; background-color: #ffffff; border: 0px;">&nbsp;</P><P style="color: #333333; background-color: #ffffff; border: 0px;">Keep in mind that above gateways are also a satellite gateways of another VPN Community (Star) which is Global. Upon checking the SmartLog, I noticed that the traffic is trying to encrypt in HQ gateway which is part of the Global Community, and is being dropped. I want to know how the traffic can be routed to the Center gateway in Asia (which is fw-HongKong) and reach the server in LAN_B which is behind fw-Malaysia gateway.</P><P style="color: #333333; background-color: #ffffff; border: 0px;"></P><P style="color: #333333; background-color: #ffffff; border: 0px;">I already added the required rule in the destination Policy but it still failing, I guess the traffic is routed to the Center gateways in Global Community? Any ideas what to check?</P><P style="color: #333333; background-color: #ffffff; border: 0px;"></P><P style="color: #333333; background-color: #ffffff; border: 0px;">Thanks for the time in reading from a newbie <IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/emoticons/wink.png" /></P></BODY></HTML> Sat, 05 Jan 2019 00:37:43 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21593#M4004 Theo 2019-01-05T00:37:43Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21594#M4005 <HTML><HEAD></HEAD><BODY><P>How specific are the encryption domains configured for each gateway, do they overlap at all?</P><P></P><P>Is NAT enabled or disabled in each community, note more advanced configuration of the VPN routing is possible if required using vpn_route.conf.</P></BODY></HTML> Sat, 05 Jan 2019 01:49:50 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21594#M4005 Chris_Atkinson 2019-01-05T01:49:50Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21595#M4006 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><SPAN style="color: #333333; background-color: #ffffff;">note more advanced configuration of the VPN routing is possible if required using vpn_route.conf.</SPAN></BLOCKQUOTE><P>can the traffic be routed to another satellite gateway by configuring vpn_route.conf? can you please give a hint to force it? i mean is it possible that the traffic from fw-Indonesia can reach the server in fw-Malaysia by passing the Center gateway fw-HongKong?</P></BODY></HTML> Sat, 05 Jan 2019 02:03:20 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21595#M4006 Theo 2019-01-05T02:03:20Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21596#M4007 <HTML><HEAD></HEAD><BODY><P>Example:</P><P><A class="link-titled" href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/13928.htm#o159321" title="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SitetoSiteVPN_AdminGuide/13928.htm#o159321">Domain Based VPN</A>&nbsp;</P></BODY></HTML> Sat, 05 Jan 2019 02:42:20 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21596#M4007 Chris_Atkinson 2019-01-05T02:42:20Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21597#M4008 <HTML><HEAD></HEAD><BODY><P>I got this, and thank. I was able to update the&nbsp;<STRONG class="" style="color: #333333; background-color: inherit; font-size: 14px; padding: 0pt;"><STRONG class="" style="color: inherit; background-color: inherit; font-size: 14px; padding: 0pt;">$FWDIR/conf/vpn_route.conf&nbsp;</STRONG></STRONG>in&nbsp;<SPAN style="color: #333333;">the Security Management Server</SPAN></P><P>I just noticed from the SmartLog, the traffic is trying to Encrypt to Global Community instead of Asia VPN Community. I want the traffic to be Encrypt/Decrypt in my Center Gateway which is fw-HongKong</P></BODY></HTML> Sun, 06 Jan 2019 13:25:17 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21597#M4008 Theo 2019-01-06T13:25:17Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21598#M4009 <HTML><HEAD></HEAD><BODY><P>Any idea guys?</P></BODY></HTML> Fri, 11 Jan 2019 02:24:25 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21598#M4009 Theo 2019-01-11T02:24:25Z https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21599#M4010 <HTML><HEAD></HEAD><BODY><P>As above I would also check that your VPN Domains are configured specific enough to avoid overlaps. You may have to leverage the "manual" option to achieve.</P><P></P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/76954_Topology_VPN-Domain.png" /></P></BODY></HTML> Fri, 11 Jan 2019 02:36:51 GMT https://community.checkpoint.com/t5/General-Topics/Clients-from-another-LAN-can-t-reach-server-from-another-LAN/m-p/21599#M4010 Chris_Atkinson 2019-01-11T02:36:51Z