https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/182997#M4867 <P>Link Selection to a static IP (the public NAT) is the correct configuration.<BR />Have you done any packet captures to confirm the Fortinet box is forwarding all the relevant traffic to the Check Point gateway?</P> Thu, 01 Jun 2023 22:18:36 GMT PhoneBoy 2023-06-01T22:18:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/182993#M4866 <P>Hello everyone,</P><P>&nbsp;</P><P>I have a setup which is the following:</P><UL><LI>Two SG R81.10 on High Availability Mode.</LI><LI>External IP addresses are private IP's 10.11.103.245 and 10.11.103.246 and the VIP is 10.11.103.1.</LI></UL><P>The ISP router is connected to another firewall (Fortigate) which routes traffic to the VIP (10.11.103.1).</P><P>My default route is 10.11.103.254 (which is the Fortigate private interface IP address), the internet access works perfectly.</P><P>My concern is to setup a Remote VPN access using the public IP address. Is Statically NATed IP address is the best option I have under Link Selection configuration ? (I have tried it but the VPN lient doesn't recognize the site ), or there is another option for me I can use to configure it?</P><P>&nbsp;</P><P>Thank you in advance</P> Thu, 01 Jun 2023 21:39:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/182993#M4866 OmarDafiri 2023-06-01T21:39:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/182997#M4867 <P>Link Selection to a static IP (the public NAT) is the correct configuration.<BR />Have you done any packet captures to confirm the Fortinet box is forwarding all the relevant traffic to the Check Point gateway?</P> Thu, 01 Jun 2023 22:18:36 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/182997#M4867 PhoneBoy 2023-06-01T22:18:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/183000#M4868 <P>Sounds like you have the right config already. As phoneboy said, maybe do some packet captures to see what gives. Some examples below (lets just assume client IP is 1.2.3.4 and gw ip is 4.3.2.1)</P> <P>On gateway (expert mode)</P> <P>fw ctl zdebug + drop | grep 1.2.3.4</P> <P>fw monitor -e "accept host(1.2.3.4) and host(4.3.2.1);"</P> <P>fw monitor -e "accept port(18234);"&nbsp; &nbsp; (18234 is tunnel test port)</P> <P>fw monitor -F "1.2.3.4,0,4,3,2,1,0,0" -F "4.3.2.1,0,1.2.3.4,0,0"</P> <P>Idea in last command is this "srcIP,srcPort,dstIP,dstport,protocol" and then 2nd one is just other way around</P> <P>Let us know what you get.</P> <P>Hope those help.</P> <P>Im fairly experienced in Foirtinet (though nothing like few of my colleagues lol), but you can also do packet capture there as well. I know in any 7.x.x version, its available via GUI, or just via cli:</P> <P>diag sniffer packet any host x.x.x.x 4 50</P> <P>&nbsp;</P> <P>This is in latest 7.4.0 version</P> <P>Andy</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21234iB2107EBAC1E5AEFC/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> <P>&nbsp;</P> Fri, 02 Jun 2023 01:57:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/183000#M4868 the_rock 2023-06-02T01:57:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/184058#M4869 <P>Hello everyone,</P><P>Thank you so much for your suggestions and your feedback, and am sorry for my late response.</P><P>We managed to fix the issue. Indeed, the Fortigate guy didn't perform a Dnat to check point VIP, that's why it didn't work.</P><P>Once he perfomed it, the client VPN worked perfectly.</P><P>&nbsp;</P><P>Thank you again for your assistance and your help.</P><P>&nbsp;</P><P>Regards,</P><P>DAFIRI Omar</P> Thu, 15 Jun 2023 09:48:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/184058#M4869 OmarDafiri 2023-06-15T09:48:37Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/184061#M4870 <P>Excellent! <span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Thu, 15 Jun 2023 10:12:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-on-Gateways-behind-another-firewall/m-p/184061#M4870 the_rock 2023-06-15T10:12:43Z