- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: I can ping but I can't browse - vpn and proxy ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can ping but I can't browse - vpn and proxy check point
Hello everyone
I'm having some issues using the Check Point Gateway as a proxy when I'm using the check point client VPN.
Scenario is as follows: my gateway is configured as a proxy. Recently I activated VPN functionality. The vpn works normally, however, I can not navigate if I use the proxy check point but I can ping any site.
I made a test connected in another VPN that gives access to the same networks, I used the Check Point proxy again and the access was allowed or denied according to my ACLs and I can see it in my logs.
is there any limitation on using the gateway as vpn and proxy or should I make some configuration?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Plea specify the version of the Check Point Management and gateways, if you have proxy configured in transparent or explicit mode, if you have defined the interface for the proxy and if you are using .pac files on your VPN clients.
Additionally, please clarify what kind of VPN are we talking about: SSL or the IPSec and if second, what VPN software client and version is in use.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer, Vladimir!
I'm using R80.10 in both: Mangament and gateway. Proxy is configured in Non Transparent mode. I did not define an interface for the proxy and in this firt moment I'm not using .pac file on VPN client.
I'm using IPSec with Check Point Endpoint Security E80.70
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kadu,
Please check if the VPN tunneling is enabled on your EndPoint Security clients, else you are looking at the split tunnel scenario, where not all traffic is being sent to the gateways.
Since you have mentioned that you can ping all the sites, (I presume from the client), try traceroute from the client to determine if your ICMP traffic is going over the VPN, or if it is going directly via local gateway of the remote client.
Additionally, it is a good idea to determine, using nslookup, where does the DNS resolution happening, locally or via VPN.
Next, confirm that you are offering "Office Mode" to remote users.
If yes, check the IP Pool that is being used for address allocation.
Make sure that you have a rule allowing the IP pool to access Internet and that it is being NATed on its way out.
You may also check "Optional Parameters" in the "Office Mode" to see what DNS servers are defined for remote clients.
Cheers,
Vladimir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vladimir, is this option you referred to (VPN tunneling)? How can I change it?
My ICMP traffic is going directly via local gateway of my remote client.
DNS resolution is happening via VPN normally.
I'm offering "Office Mode" to remote users.
Any idea?
Thanks for your time!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using a simple SecuRemote, you will not be able to change this:
If you are using a full EndPoint security, this should work:
Provided the rules are in place to allow it.
Cheers,
Vladimir
![](/skins/images/AB448BCC84439713A9D8F01A2EF46C82/responsive_peak/images/icon_anonymous_message.png)