Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ricki_Juntak
Explorer

Reject "'Ip address was blocked access to 'aws', why traffic always vpn traffic

Jump to solution

Hello guys,

I need help about connection always rejected by gateway like scema below:

Host(ip local with nat static to public) - checkpoint gateway -> AWS

the network host is on the vpn domain grup network

the vpn domain is used on the community vpn remote access. but the host not connected overvpn.

the connection not overvpn but the gateway state from log said this is a vpn traffic (why this happening).

when we try test telnet to AWS(opening on the rule policy too) from some host not using vpn result is same and cannot ssh to aws

maybe anyone have face this same issue...

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

If you can't share details publicly, recommend working with the TAC.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Your description isn't making a lot of sense.
A network diagram, screenshots of the relevant configuration, log cards (with sensitive details redacted), and version/JHF level is appreciated.

0 Kudos
Ricki_Juntak
Explorer

Thank you PhoneBoy for your response,

but I can't share the log, configuration and topology, regarding from user info.

we run vpn tu and find ip address a.b.c.d on the list ike, its means have a tunnel from a.b.c.d to CP gateway right?

but the user confirm no configuration vpn from a.b.c.d to CP gateway.

#vpn tu

Peer: a.b.c.d 
| Client public IP: inx invalid type (0) | | i: 2 ref: 1 |
| Authenticated at: Dec 6 08:02:27 | | i: 3 ref: 1 |
| Methods: ESP Transport 3DES SHA1 | | i: 4 ref: 1 |
| My TS: CP_Gateway | | i: 5 ref: 1 |
| Peer TS: a.b.c.d | | i: 6 ref: 1 |
| User: <L2TP_machine_user>_291593747757..|
| MSPI: 8000f3 (i: 1, p: - )

the last information from customer the endpoint(PC) have 2 vpn, 1 openvpn to a.b.c.d and 1 vpn to Checkpoint Gateway and at the CP Gateway have rule from vpn domain segmen to access a.b.c.d

0 Kudos
PhoneBoy
Admin
Admin

If you can't share details publicly, recommend working with the TAC.

View solution in original post

0 Kudos
Ricki_Juntak
Explorer

Thank you PhoneBoy

 

Regards,

Ricki

0 Kudos