topic Re: Strange issue with routing/nat on site-2-site in Spark Firewall (SMB)

Strange issue with routing/nat on site-2-site

skandshus — Wed, 11 Aug 2021 19:55:44 GMT

Hi everyone..

I am hosting a service for a customer on a public accessible IP address… i have then set up a site-2-site vpn for backup purposes because the customer also has a local server that needs backup.

the setup is.

local customer subnet192.168.80.0/24 & 192.168.50.0/24 (with client that needs to access navision service at my public ip.

the customer is accessing an RDP service using dns name navision.it-connect.nu

it resolves to my external ip 194.182.21.148

on the customer site I have a 1570 appliance

and In my hosting center I’m running checkpoint open server.

the local subnet for the navision server is 10.10.114.2

I have both firewall and nat rule in place allowing remote access.. everything is fine..

But I need to establish a site to site vpn from MY local subnet at the hosting center at 10.10.150.0/24 because I need to take a backup of a server at the customer local site.. that server is located at 192.168.80.0/24

i can establish the site to site tunnel fine and everything is working. But when I do that, then it is no longer possible for the customer at their local subnet 192.168.0.0/24 & 192.168.50.0/24 to access the navision server any longer, even though both the navision subnet AND the customers local subnet has not been defined in the encryption domain(which is on purpose)..

can anybody shed some light on what is happening ? I have another customer where this is not an issue… I even tried to do a copy/paste of the vpn community setup to rule out error, but it still blocks the remote access..

so I’m short.. vpn tunnel connects successfully allowing my backup server to reach customer subnet and do the backup but it breaks the customers access to the navision server when they try to reach it using the dns name/wan up address..

Re: Strange issue with routing/nat on site-2-site

G_W_Albrecht — Thu, 12 Aug 2021 14:22:37 GMT

Is your external ip 194.182.21.148 included in the encryption domain ?

Re: Strange issue with routing/nat on site-2-site

skandshus — Thu, 12 Aug 2021 14:25:13 GMT

No the external Ip is not included… on purpose though.. wouldn’t that cause issues?

Re: Strange issue with routing/nat on site-2-site

G_W_Albrecht — Thu, 12 Aug 2021 14:34:57 GMT

As the clients try to connect to that IP, it would cause issues, so i have asked 8) Are the clients NATed behind the GW IP ?

Re: Strange issue with routing/nat on site-2-site

skandshus — Thu, 12 Aug 2021 14:54:37 GMT

Both subnet on each side is behind hide nat on the gateway…

from my perspective I would expect the subnets to only be routed, if a host would try to access navision.it-connect:8787

i would expect them to hit the wan interface and NOT for some reason go through the tunnel.. even though the IP address /gateway is also used as the peer gateway.. and I have no idea how to “explain” it regarding a TAC and making sure they understood 100% what the problem is..

Re: Strange issue with routing/nat on site-2-site

G_W_Albrecht — Thu, 12 Aug 2021 15:09:58 GMT

Try to exclude only Microsoft Remote Desktop on TCP port 3389 from your VPN Community.

Re: Strange issue with routing/nat on site-2-site

skandshus — Thu, 12 Aug 2021 19:28:06 GMT

i didnt even know it possible to "exclude" that.. how would you go around doing that?