This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Theo
Collaborator
‎2019-01-04 04:37 PM

Clients from another LAN can't reach server from another LAN

I have a question about Site-Site VPN, and my concern is that the client computers from LAN_A could not access the server from LAN_B (RDP protocol).

 

VPN Community

Type: Star

Name: Asia

Center Gateways: fw-HongKong

Satellite Gateways: fw-Indonesia (LAN_A) and fw-Malaysia (LAN_B)

VPN Routing- To center and to other satellites through center

 

fw-HongKong

Gateway: Checkpoint 2200

Version: R77.30 Build 204

 

fw-Indonesia

Gateway: Checkpoint 1450

Version: R77.20

 

fw-Malaysia

Gateway: Checkpoint 1100

Version: R77.20

 

Keep in mind that above gateways are also a satellite gateways of another VPN Community (Star) which is Global. Upon checking the SmartLog, I noticed that the traffic is trying to encrypt in HQ gateway which is part of the Global Community, and is being dropped. I want to know how the traffic can be routed to the Center gateway in Asia (which is fw-HongKong) and reach the server in LAN_B which is behind fw-Malaysia gateway.

I already added the required rule in the destination Policy but it still failing, I guess the traffic is routed to the Center gateways in Global Community? Any ideas what to check?

Thanks for the time in reading from a newbie

0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-01-04 05:49 PM

How specific are the encryption domains configured for each gateway, do they overlap at all?

Is NAT enabled or disabled in each community, note more advanced configuration of the VPN routing is possible if required using vpn_route.conf.

CCSM R77/R80/ELITE
0 Kudos
Theo
Collaborator
‎2019-01-04 06:03 PM
In response to Chris_Atkinson

note more advanced configuration of the VPN routing is possible if required using vpn_route.conf.

can the traffic be routed to another satellite gateway by configuring vpn_route.conf? can you please give a hint to force it? i mean is it possible that the traffic from fw-Indonesia can reach the server in fw-Malaysia by passing the Center gateway fw-HongKong?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-01-04 06:42 PM
In response to Theo

Example:

Domain Based VPN 

CCSM R77/R80/ELITE
0 Kudos
Theo
Collaborator
‎2019-01-06 05:25 AM
In response to Chris_Atkinson

I got this, and thank. I was able to update the $FWDIR/conf/vpn_route.conf in the Security Management Server

I just noticed from the SmartLog, the traffic is trying to Encrypt to Global Community instead of Asia VPN Community. I want the traffic to be Encrypt/Decrypt in my Center Gateway which is fw-HongKong

0 Kudos
Theo
Collaborator
‎2019-01-10 06:24 PM
In response to Theo

Any idea guys?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-01-10 06:36 PM
In response to Theo

As above I would also check that your VPN Domains are configured specific enough to avoid overlaps. You may have to leverage the "manual" option to achieve.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events