This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vlad_Voronko
Participant
‎2018-04-24 06:51 AM
Jump to solution

No ssh access to VPN peer outside IP

While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.

Preview file
98 KB
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-04-24 07:18 AM
In response to Vlad_Voronko
Jump to solution

I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

9 Replies
Marco_Valenti
Advisor
‎2018-04-24 06:58 AM
Jump to solution

quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain

Vlad_Voronko
Participant
‎2018-04-24 07:11 AM
In response to Marco_Valenti
Jump to solution

Hi Marco,

I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-04-24 07:18 AM
In response to Vlad_Voronko
Jump to solution

I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Vlad_Voronko
Participant
‎2018-04-24 07:26 AM
In response to G_W_Albrecht
Jump to solution

Günther and Brandon,

Thanks a lot I'll take a look into this.

0 Kudos
Gomboragchaa
Advisor
‎2021-03-15 01:40 AM
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht ,

What about on Scalable Platforms (Maestro). SMS is R80.40 and GW is R80.30SP.

I've tried to edit crypt.def file on Management and GW as well. But still no success. 

Before I used to this SK and it works perfect and SMS, GW both were the same version..

 Do you have any clue?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-03-15 02:41 AM
In response to Gomboragchaa
Jump to solution

Three hints:

- The "crypt.def" file has to be edited only on Security Management Server. The relevant code will be transferred to Security Gateway during policy installation. (sk98241)

- The "crypt.def" file has to be edited in plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS).  (sk98241)

- R80.30SP should be included when $FWDIR/lib/crypt.def is edited and the policy installed. (sk98241)

If all these have been followed i would contact TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Brandon_Pace
Employee
Employee
‎2018-04-24 07:17 AM
Jump to solution

sk108600 Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

Vlad_Voronko
Participant
‎2018-04-24 07:27 AM
In response to Brandon_Pace
Jump to solution

Brandon,

Thanks a lot I'll take a look into this.

0 Kudos
Kim_Moberg
Advisor
‎2018-04-24 09:57 PM
Jump to solution

Did you try to exclude ssh in the vpn community? And then push policy?

Of course if you need to use ssh on Remote encryption domain, that might be a challange.


Best Regards
Kim
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events