Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Theo
Collaborator

Clients from another LAN can't reach server from another LAN

I have a question about Site-Site VPN, and my concern is that the client computers from LAN_A could not access the server from LAN_B (RDP protocol).

 

VPN Community

Type: Star

Name: Asia

Center Gateways: fw-HongKong

Satellite Gateways: fw-Indonesia (LAN_A) and fw-Malaysia (LAN_B)

VPN Routing- To center and to other satellites through center

 

fw-HongKong

Gateway: Checkpoint 2200

Version: R77.30 Build 204

 

fw-Indonesia

Gateway: Checkpoint 1450

Version: R77.20

 

fw-Malaysia

Gateway: Checkpoint 1100

Version: R77.20

 

Keep in mind that above gateways are also a satellite gateways of another VPN Community (Star) which is Global. Upon checking the SmartLog, I noticed that the traffic is trying to encrypt in HQ gateway which is part of the Global Community, and is being dropped. I want to know how the traffic can be routed to the Center gateway in Asia (which is fw-HongKong) and reach the server in LAN_B which is behind fw-Malaysia gateway.

I already added the required rule in the destination Policy but it still failing, I guess the traffic is routed to the Center gateways in Global Community? Any ideas what to check?

Thanks for the time in reading from a newbie

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

How specific are the encryption domains configured for each gateway, do they overlap at all?

Is NAT enabled or disabled in each community, note more advanced configuration of the VPN routing is possible if required using vpn_route.conf.

CCSM R77/R80/ELITE
0 Kudos
Theo
Collaborator

note more advanced configuration of the VPN routing is possible if required using vpn_route.conf.

can the traffic be routed to another satellite gateway by configuring vpn_route.conf? can you please give a hint to force it? i mean is it possible that the traffic from fw-Indonesia can reach the server in fw-Malaysia by passing the Center gateway fw-HongKong?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Example:

Domain Based VPN 

CCSM R77/R80/ELITE
0 Kudos
Theo
Collaborator

I got this, and thank. I was able to update the $FWDIR/conf/vpn_route.conf in the Security Management Server

I just noticed from the SmartLog, the traffic is trying to Encrypt to Global Community instead of Asia VPN Community. I want the traffic to be Encrypt/Decrypt in my Center Gateway which is fw-HongKong

0 Kudos
Theo
Collaborator

Any idea guys?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As above I would also check that your VPN Domains are configured specific enough to avoid overlaps. You may have to leverage the "manual" option to achieve.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events