topic Re: Enterprise to VPN User without site to site VPN in Spark Firewall (SMB)

Enterprise to VPN User without site to site VPN

Yousef — Mon, 13 Apr 2020 15:23:18 GMT

Hello,

I'm using CheckPoint 750 Appliance at work.

We installed VPN EndPoint at each remote User, the VPN is having a pool of 172.16.10.*

The local Network where the gateway is installed, it is using 10.4.0.*

The developers are developing a service at port 9000 in their computers, and when they were in the company, they simply called an API from the local network (For ex. 10.4.0.10) to their computer (10.4.0.*:9000 and it worked.

Now when they moved their PCs to work from home, they connect using the VPN, they are able to access all the local network, so that all Servers and services that are using 10.4.0.* are reachable, however, the opposite is not true.

None of the Server / Computers at the office (10.4.0.*) are able to connect back to the VPN remote users.

The users are trying to call API requests from Servers at the office (say 10.4.0.10) to their own computers, say 172.16.10.5:9000 , it fails.

10.4.0.* can't even ping any host in the VPN IPs.

My Appliance is manage by an ISP, but they are still not able to solve the issue, it has been a week already. Is it something that is feasible or not? I know that Site to Site is supposed to work (although we haven't tested it), but what about Point to Site?

VPN Users (172.16.10.*) need to be reached "reversely" from the work network (10.4.0.*).

I thought when I connect to the VPN, the VPN object and the local object are both connected and can communicate to each other without a problem.

I'm looking for advice since my ISP is not able to solve the problem yet. Am I asking for something that can't be done by Point to Site?

Let me know of any feasible solution so that I can consult my ISP to do it when they get back to me again.

Thank you.

Re: Enterprise to VPN User without site to site VPN

PhoneBoy — Tue, 14 Apr 2020 21:06:35 GMT

Have you created an explicit rule to allow this sort of communication?

Re: Enterprise to VPN User without site to site VPN

Yousef — Wed, 15 Apr 2020 04:58:37 GMT

My ISP added the following rules:

Incoming, Internal and VPN traffic:

LAN Network (10.4.0.*) -> VPN Remote Access -> Any Service, Accept

LAN Network (10.4.0.*) -> Office_mode (same range 172.16.10.0) -> Any Service, Accept

VPN Remote Access -> VPN Remote Access -> Any Service, Accept

This Gateway (external IP) -> Office_mode (same range 172.16.10.0) -> Any Service, Accept

Outgoing:

Nothing specific that handles this

NAT rules:

Hide internal networks behind the Gateway's external IP address [ON]

Manual NAT rules:

Original Source (Any), Original Destination (Office_mode), Original Service (Any), Translated Source (Original), Translated Destination (Original), Translated Service (Any)

This configuration is not working. Backlinks to the Office_mode are not working without Office_mode initiating the session. So we can't access any open port in the Office_mode/VPN Users computers.

I'm not sure if that matters, but the system's firmware version is R77.20.31 (990170960)

Yousef.

Re: Enterprise to VPN User without site to site VPN

PhoneBoy — Wed, 15 Apr 2020 05:05:47 GMT

That firmware revision is quite old and you should upgrade for...many reasons.
I presume you'd need a rule that permits your internal network to talk to the Office Mode addresses in the Outgoing section.

Re: Enterprise to VPN User without site to site VPN

Yousef — Wed, 15 Apr 2020 05:08:33 GMT

Thank you. I will let my ISP do the change, and hopefully convince them to upgrade the firmware.

After that, I will post a reply and accept the solution in case that solved the problem.

Re: Enterprise to VPN User without site to site VPN

Yousef — Tue, 21 Apr 2020 11:48:01 GMT

Upgrading the firmware and adding outgoing solved the issue. Thank you.