This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jasr_eiffage
Explorer
‎2021-09-21 09:39 AM

AWS VPN use Checkpoint like a Gateway to internet

Hello everyone,
 
I have a VPN Site to Site tunnel between AWS and CKP, the tunnel works correctly with traffic between both subnets, the problem comes when trying to get the AWS machines to go out to the internet through CKP, I can't ping 8.8.8.8.8 for example, the trace stays on the private IP of the point to point adapter (169.254.72.110).
 
I have made the configurations as indicated in the guide, it is a static route VPN, in AWS I indicate that everything (0.0.0.0/0) goes through the virtual gateway of the VPN, as I indicate the tunnel works correctly since it does not have falls and in the case of internal traffic there is no problem.
 
Does anyone know where the error could be?
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-09-23 12:50 PM

Which precise guide did you follow?
What precise version/JHF?
Did you create any NAT rules for the Internet-bound traffic?
I'm pretty sure you need to do this. 

0 Kudos
jasr_eiffage
Explorer
‎2021-09-24 03:46 AM
In response to PhoneBoy

Hi,

 

This guide: How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC u...

Actually: R80.40 take 294

The NAT rules I have are the normal outgoing rules to the internet of the rest of the networks that pass through the CKP, would it be necessary to make a specific rule for the VPN?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-24 03:45 PM
In response to jasr_eiffage

FYI, "Take 294" isn't a valid JHF level, I believe you can get that from cpinfo -y.

Obviously, the VPN is working, so you don't need NAT rules specifically for that.
But clearly the traffic is not getting to the Internet and NAT is the likely issue.
Have you done a tcpdump on the Internet-facing interface to see if the traffic is actually being translated?

What are the precise NAT rules you have configured?
I presume one of them is a HIDE NAT rule where you are hiding behind the gateway/cluster.
What is the precise IP address of that object?
If it's a private IP address (versus the elastic IP), that's probably why it's not working. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events