https://community.checkpoint.com/t5/Spark-Firewall-SMB/Enable-Internet-Access-to-LAN-RRAS-IPSec-LT2P-VPN-Server-Behind/m-p/225938#M11373 <P>My IPS just provided me with a 1530 Appliance running R80.20.15, in place of another vendor's appliance which had failed.</P><P>In my LAN I am running RRAS on a Microsoft Server 2019 to provide IPSec/LT2P access to my LAN from the Internet. This server is NAT-ed behind the appliance firewall.</P><P>My ISP does not know how to enable this. I know nothing about Checkpoint appliances either,</P><P>I think what I need to do is:</P><OL><LI>Define new Service ESP (IP Protocol 50)</LI><LI>Define new Service AH (IP Protocol 51)</LI><LI>Allow UDP Ports 500, 4500, and 1701</LI><LI>Forward all of the above IP protocols and UDP ports to the RRAS server in the LAN according to its NAT-ed address.&nbsp;</LI></OL><P>Am I correct? Is there an error in what I wrote? Did I forget something?</P><P>If my list of tasks is correct, I would be grateful for painfully explicit instructions as to how to accomplish the above.&nbsp;</P><P>TIA!</P><P>&nbsp;</P> Sat, 07 Sep 2024 13:14:40 GMT msl58 2024-09-07T13:14:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Enable-Internet-Access-to-LAN-RRAS-IPSec-LT2P-VPN-Server-Behind/m-p/225938#M11373 <P>My IPS just provided me with a 1530 Appliance running R80.20.15, in place of another vendor's appliance which had failed.</P><P>In my LAN I am running RRAS on a Microsoft Server 2019 to provide IPSec/LT2P access to my LAN from the Internet. This server is NAT-ed behind the appliance firewall.</P><P>My ISP does not know how to enable this. I know nothing about Checkpoint appliances either,</P><P>I think what I need to do is:</P><OL><LI>Define new Service ESP (IP Protocol 50)</LI><LI>Define new Service AH (IP Protocol 51)</LI><LI>Allow UDP Ports 500, 4500, and 1701</LI><LI>Forward all of the above IP protocols and UDP ports to the RRAS server in the LAN according to its NAT-ed address.&nbsp;</LI></OL><P>Am I correct? Is there an error in what I wrote? Did I forget something?</P><P>If my list of tasks is correct, I would be grateful for painfully explicit instructions as to how to accomplish the above.&nbsp;</P><P>TIA!</P><P>&nbsp;</P> Sat, 07 Sep 2024 13:14:40 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Enable-Internet-Access-to-LAN-RRAS-IPSec-LT2P-VPN-Server-Behind/m-p/225938#M11373 msl58 2024-09-07T13:14:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Enable-Internet-Access-to-LAN-RRAS-IPSec-LT2P-VPN-Server-Behind/m-p/226014#M11374 <P>The device does have Remote Access functionality built into it, FYI.<BR />Make sure both Remote Access and Site to Site VPN are disabled in Home &gt; Overview &gt; Security Dashboard</P> <P>I don't believe you need to forward IP Proto 50/51, but could be wrong.<BR />However, you should create a Server object in Users and Objects &gt; Network Resources &gt; Servers and specify the correct ports:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-09-09 at 11.14.27 AM.png" style="width: 574px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27540i5D8948C39A749F71/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-09-09 at 11.14.27 AM.png" alt="Screenshot 2024-09-09 at 11.14.27 AM.png" /></span></P> <P>Set the other options as appropriate in the object.</P> Mon, 09 Sep 2024 16:16:47 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Enable-Internet-Access-to-LAN-RRAS-IPSec-LT2P-VPN-Server-Behind/m-p/226014#M11374 PhoneBoy 2024-09-09T16:16:47Z