This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Nicolas_Daems1
Contributor
‎2019-05-29 01:14 PM

Cloudgaard Azure and Remote Access

Hi,

 

I'm trying to setup a Remote Access VPN (Check Point Mobile on Windows) on Azure.

This Azure Gateway is connected to another Check Point Gateway with a Site-to-Site VPN. This communication is working fine

The Mobile VPN Client are able to connect but no traffic is reaching the Azure Firewall (tcpdump / fw monitor). The VPN setup is not configured to route all traffic to the gateway so only the remote access community shoud be reachable. I can see that the Endpoint receive the route correctly (route print) but when trying to reach the gateway no traffic is detected.

I guess there is an issue with the UDR on Azure but I don't know how the VPN subnet needs to be defined:

  • Do we need to define the VPN subnet on Azure Subnet ?
  • If we need to define the subnet to Azure what route should we defined on this subnet ?
  • Do we need to route the traffic to Frontend or Backend interface

Any help will be appreciated

Thank you

Nicolas

0 Kudos
Reply
3 Replies
G_W_Albrecht
Champion
Champion
‎2019-06-04 04:59 AM

Have a look into this document : sk109360: Check Point Reference Architecture for Azure

0 Kudos
Reply
Nicolas_Daems1
Contributor
‎2019-06-04 05:10 AM
In response to G_W_Albrecht

Hi,

 

I already read this document but without finding any interesting info. UDR are already defined for the return trafic

Thanks

Nicolas

0 Kudos
Reply
Dan_Morris
Employee
Employee
‎2019-06-05 08:39 AM
In response to Nicolas_Daems1

Hi Nicolas,

The problems sounds like the UDR's are not configured properly to point to the Azure gateway. 

In an Azure Check Point deployment no VM's should be local to the gateway. This means you will require a VPN subnet in your Vnet (Or another backend subnet) where the VPN client will reside.

 

Answers to your questions

  • Do we need to define the VPN subnet on Azure Subnet ?
    • Yes you require this
  • If we need to define the subnet to Azure what route should we defined on this subnet ?
    • Route definitions

    • Route #1

      Route Name                       <Web/App/VPN>-Subnet-Local

      Address prefixes                Web/App/VPN subnet (Example- 10.7.4.0/24)

      Net Hop Type                      Virtual Network

      Next Hop Address              Leave Blank

    • Route #2

      Route Name                       <Web/App/VPN>-To-Other-Subnets

      Address prefix                    Your vNet network (Example- 10.7.0.0/16)

      Net Hop Type                      Virtual appliance

      Next Hop Address              eth1 Ip of the firewall appliance (example 10.7.1.4)

    • Route #3

      Route Name                       <Web/App/VPN>-Subnet-Default-<Username>

      Address prefix                    0.0.0.0/0

      Net Hop Type                      Virtual appliance

      Next Hop Address              eth1 Ip of the firewall appliance (example 10.7.1.4)

    • Route needed on the Gateway
      • You need to setup the Check Point Gateway to send all vNet traffic to the Backend Azure Gateway address. This will be the first IP of the Backend

      • Example: Your VNET network is 10.x.0.0/16 the Azure “Router” IP is 10.x.1.1)

        SSH to your Firewall VM and add the following route in Clish.

        Command:

        clish -c 'set static-route VIRTUAL-NETWORK-PREFIX nexthop gateway address ETH1-ROUTER on' -s

        clish -c 'save config'

        Where:

        VIRTUAL-NETWORK-PREFIX is the prefix of the entire virtual network (e.g. 10.x.0.0/16)

        ETH1-ROUTER is the first unicast IP address on the subnet to which eth1 is connected (e.g. 10x.1.1)

        For example: clish -c 'set static-route 10.x.0.0/16 nexthop gateway address 10.x.1.1 on' –s

  • Do we need to route the traffic to Frontend or Backend interface
    • Backend subnet

 

You can also confirm where the effective route is going on the Mobile Client. This can be done in the Azure portal

  1. Go under the VM in question
  2. Make sure the system is turned on. Otherwise the routes will not be properly displayed
  3. Go under Networking
  4. Select the Attached Network interface
  5. Under the attached network interface select Effective routes
  6. Select the Download of the effective routes.

image.png

Open the Downloaded route list and confirm the routes are what you may be expecting.

image.png

 

Thank you ,

Dan Morris, Technology Leader, Ottawa Technical Assistance Center

 

0 Kudos
Reply