This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Vlad_Voronko
Iron
‎2018-04-24 06:51 AM

No ssh access to VPN peer outside IP

Jump to solution

While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
7 Replies
Highlighted
Marco_Valenti
Silver
‎2018-04-24 06:58 AM

Re: No ssh access to VPN peer outside IP

Jump to solution

quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain

Reply
Highlighted
Vlad_Voronko
Iron
‎2018-04-24 07:11 AM

Re: No ssh access to VPN peer outside IP

Jump to solution

Hi Marco,

I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).

0 Kudos
Reply
Highlighted
Highlighted
Vlad_Voronko
Iron
‎2018-04-24 07:26 AM

Re: No ssh access to VPN peer outside IP

Jump to solution

Günther and Brandon,

Thanks a lot I'll take a look into this.

0 Kudos
Reply
Highlighted
Brandon_Pace
Employee
Employee
‎2018-04-24 07:17 AM

Re: No ssh access to VPN peer outside IP

Jump to solution

sk108600 Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

Reply
Highlighted
Vlad_Voronko
Iron
‎2018-04-24 07:27 AM

Re: No ssh access to VPN peer outside IP

Jump to solution

Brandon,

Thanks a lot I'll take a look into this.

0 Kudos
Reply
Highlighted
Kim_Moberg
Silver
‎2018-04-24 09:57 PM

Re: No ssh access to VPN peer outside IP

Jump to solution

Did you try to exclude ssh in the vpn community? And then push policy?

Of course if you need to use ssh on Remote encryption domain, that might be a challange.


Best Regards
Kim
0 Kudos
Reply