topic Remote Access Link Selection - Staticaly Nated IP in SASE and Remote Access

Remote Access Link Selection - Staticaly Nated IP

Karan0587 — Wed, 16 Jun 2021 23:51:18 GMT

Hi,

Need suggestion on below

The customer has bought a range of IP Addresses from ISP, he wants to use one of the IP Addresses for checkpoint remote access VPN.

I believe we can use that IP Address in Statically Nat IP in link selection ( attached image).

Can anybody suggest what configuration is required from a policy perspective?

Regards

Karan

Re: Remote Access Link Selection - Staticaly Nated IP

PhoneBoy — Mon, 21 Jun 2021 00:48:18 GMT

Beyond this configuration in Link Selection, you should not need to do anything unusual to accept the traffic.
It will be allowed by implied rules.

Re: Remote Access Link Selection - Staticaly Nated IP

the_rock — Mon, 21 Jun 2021 01:00:04 GMT

As phoneboy said, config is fine, but as far as policy, just make sure that VPN traffic is allowed as usual, but other than that, you should be good to go.

Re: Remote Access Link Selection - Staticaly Nated IP

Karan0587 — Mon, 21 Jun 2021 01:31:40 GMT

Thanks for the reply,

i thought so as well, but does not connect and goes through the clean up rule.

I have to create access policy rule to allo vpn for that IP isn't ?

Re: Remote Access Link Selection - Staticaly Nated IP

the_rock — Mon, 21 Jun 2021 01:34:57 GMT

Not necessarily that IP, but object itself. So, you can make bi-directional rule for subnets involved (local and remote) and then under vpn column, just select that community, services you need and accept. If traffic fails on clean up rule, there is no any doubt that rule does not exist in the policy to allow it. Unless, the exception could be if you have layers, then it could be catching parent layered rule and then being dropped on explicit layer clean up rule, rather than implicit one, which would always be last rule in the rulebase.