topic Re: Mobile Access - IP Pool Configuration in SASE and Remote Access

Mobile Access - IP Pool Configuration

tropicanaslim — Tue, 05 Jul 2022 14:46:00 GMT

Halo All,

I was enable Mobile Access Blade for SSL VPN and follow the wizard.

And this is the traffic : USER (public) —INTERNET— Mobile Access (R81.10) — Core — Internal Apps.

Mobile Access has 2 interface :

ETH1 : Public IP (facing to internet + portal access)
ETH2 : Local IP (point2point with Core)
+ IP Pool VPN (default segment IP)

And Mobile Access configuration like below :

Enable Office Mode + IP Pool

My question is, why all Mobile Access user when access to internal apps detected using ETH2 IP (Local IP) not Pool VPN IP? When i check on Mobile Access Log, there are only Public IP information from user.

Based on above information, is my configuration wrong? any additional configuration needed?

Thankyou!

Re: Mobile Access - IP Pool Configuration

G_W_Albrecht — Tue, 05 Jul 2022 14:55:54 GMT

See Mobile Access R80.10 Administration Guide: Office Mode

Re: Mobile Access - IP Pool Configuration

tropicanaslim — Tue, 05 Jul 2022 15:47:40 GMT

Hi @G_W_Albrecht

Yes i just compared my configuration with admin guide.

On $FWDIR/conf/ipassignment.conf i make sure on this config file there is no configuration related to Local IP and Pool VPN IP. So in my opinion will take over by Manual (using IP Pool), but i dont know why on Application detect the user using ETH2 Local IP, not Pool VPN IP. This one make me confused.

Re: Mobile Access - IP Pool Configuration

the_rock — Tue, 05 Jul 2022 15:56:13 GMT

I believe ipassignment.conf would take precedence.

Re: Mobile Access - IP Pool Configuration

tropicanaslim — Tue, 05 Jul 2022 16:19:32 GMT

Hi @Theo yeah i believe so earlier, but after check the $FWDIR/conf/ipassignment.conf there is no configuration related to IP that i used on the firewal..

This is the capture :

default setting ipassignment

Re: Mobile Access - IP Pool Configuration

RS_Daniel — Tue, 05 Jul 2022 16:45:34 GMT

Hello,

I assume you are using SNX or the Mobile Access vpn client on your remote machines in order to get an Office Mode IP address, it would be useful a capture what you see to understand better. I will assume you are checking only the logs for decrypted packets, maybe there is a NAT causing this behavior. To start you can go to the logs and look for blade:"Mobile Access" search your login and take note of the office mode ip assigned, then look for that IP address and check what you see, if there is a NAT you should find it here.

Regards

Re: Mobile Access - IP Pool Configuration

Vladimir — Wed, 06 Jul 2022 03:03:32 GMT

Likely a NAT issue.

I suggest creating a NO_NAT_for_Remote_Access rule in your NAT policy and configuring it as:

CP_Default_Office_Mode_Pool to Internal_Networks, Original, Original.

Re: Mobile Access - IP Pool Configuration

Chris_Atkinson — Wed, 06 Jul 2022 03:31:50 GMT

Agree, likely your hitting default/atuo NAT rules similar to:

Re: Mobile Access - IP Pool Configuration

tropicanaslim — Wed, 06 Jul 2022 15:06:48 GMT

Hi @Chris_Atkinson and @Vladimir

Thank you for your reply, currently i dont have access to the Gateway. i will it again on Thursday.

your suggestion is using manual nat or automatic nat? because i did some nat test before, by default VPN-IP-Pool is enable Hide NAT like below, but after i uncheck the NAT option, there is no differentiation. Is it similar with your suggestion using Manual NAT or Automatic NAT?

example - i did uncheck NAT option

Thanks!

Re: Mobile Access - IP Pool Configuration

Vladimir — Wed, 06 Jul 2022 15:18:27 GMT

Both, Automatic NAT and Manual NAT should be used simultaneously. But if the properties of your Office Mode Pool look like the screenshot above, they are misconfigured. Use this one for references:

Set the Pool NAT properties as shown above, but add the NonNAT_Rule I have suggested previously.

If you are using Remote access with DNS forwarding to HQ and egress to the Internet resources, you want the pool to be NATed going outside. For access to internal resources, you do not- hence the Non_NAT Rule.

Re: Mobile Access - IP Pool Configuration

the_rock — Wed, 06 Jul 2022 18:50:12 GMT

Right, thats what every default ipassignment.conf would look like, so it does not appear it was modified manually.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33422