https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20513#M13700 <HTML><HEAD></HEAD><BODY><P>Any chance the border router can perform the public &gt; private NAT?</P><P>That seems like it might be the cleanest solution here.</P></BODY></HTML> Tue, 01 May 2018 19:22:15 GMT PhoneBoy 2018-05-01T19:22:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20512#M13699 <HTML><HEAD></HEAD><BODY><P>Hey all,</P><P></P><P>I'm trying to enable mobile access on our HA (active/passive) cluster to be able to use SNX.&nbsp; Right now I'm stuck on just getting the web page with the user/pass field.&nbsp;&nbsp;Our topology looks something like this (w/ IPs changed)</P><P><IMG __jive_id="65217" alt="" class="image-1 jive-image" height="519" src="/legacyfs/online/checkpoint/65217_Screen Shot 2018-05-01 at 12.16.50 PM.png" width="440" /></P><P>Computers on the internal networks can open a webpage to 192.168.0.5 with the expected portal.&nbsp; But I want remote users on the public internet to be able to access the portal page.&nbsp; So I created a DNS entry vpn.ourdomain.com to resolve to a public IP address and during the first time setup wizard I told the portal to use that FQDN.&nbsp; I created access control rules to allow users to access both the private IP (192.168.0.1/2/5) and the public address resolving from vpn.ourdomain.com.&nbsp; When I'm at my home computer, I can resolve the name entry fine, but I cannot access the portal web page.</P><P></P><P>I'm thinking I have to configure the public IP on the firewall cluster, but I've no idea how to do that.&nbsp; Anytime I go into Cluster Object &gt; NAT &gt; Advanced &amp; tell it to statically xlate to the public IP address, I get a verification error saying&nbsp;the cluster&nbsp;cannot xlate its own address.</P><P>I've tried static NAT rules up the wazoo but nothing seems to be working.&nbsp; I'm hoping that we don't have to change the bonded VIP to a public address b/c we'd have to rework our connection btw the firewall and edge router &amp; burn some IPs, but if that's what we have to do then I guess we do have a maintenance window coming up...</P><P></P><P>Any ideas?&nbsp; I'm sure I'm missing something stupid.</P><P></P><P>Also, first real use and post to Checkmates so I'm excited there's this community here!</P></BODY></HTML> Tue, 01 May 2018 18:25:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20512#M13699 Joshua_Snider 2018-05-01T18:25:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20513#M13700 <HTML><HEAD></HEAD><BODY><P>Any chance the border router can perform the public &gt; private NAT?</P><P>That seems like it might be the cleanest solution here.</P></BODY></HTML> Tue, 01 May 2018 19:22:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20513#M13700 PhoneBoy 2018-05-01T19:22:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20514#M13701 <HTML><HEAD></HEAD><BODY><P>I'll give that a try, thanks!</P></BODY></HTML> Tue, 01 May 2018 19:53:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20514#M13701 Joshua_Snider 2018-05-01T19:53:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20515#M13702 <HTML><HEAD></HEAD><BODY><P>Performing NAT on the edge router worked, thanks for the suggestion!&nbsp; Wish we could've done it on the f/w so that the config for mobile access isn't spread out so much, but c'est la vie</P></BODY></HTML> Fri, 18 May 2018 15:29:38 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Enable-SNX-on-Cluster/m-p/20515#M13702 Joshua_Snider 2018-05-18T15:29:38Z