- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.
quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain
Hi Marco,
I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).
sk108600 Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces
Thanks a lot I'll take a look into this.
Did you try to exclude ssh in the vpn community? And then push policy?
Of course if you need to use ssh on Remote encryption domain, that might be a challange.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY