Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Hi Team,

Can someone please help me with my scenario?

  1. I have two firewalls one in US and other is in India.
  2. Both the firewalls are being managed by same mgmt server which is in India.
  3. US firewall is managed with Public IP address
  4. Remote access VPNs are configured on both the firewalls having office mode pools for india is 172.16.10.0/24 and US is 172.16.8.0/24
  5. There is a separate VPN device in place which has a tunnel configured with say location M, eventually both the locations need to reach 10.10.10.0/24
  6. Now issue is even users working from home dial in US FW and India FW and they wanted to connect to servers from 10.10.10.0/24.
  7. I did add 10.10.10.0/24 in encryption domain so that users when they login can access the servers.
  8. However users when they connect to India firewall they are able to access the network without issue.

But if the same user connect to US firewalls, they get a IP address from 172.16.8.0 office mode pool but unable to ping. When I do tracert to 10.10.10.10 it still shows India firewall as first hop and it does not route it through US firewall.

I have enclosed my scenario, can someone please help me on this?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
12 Replies
Blason_R
Leader
Leader

Is this achievable? I mean same destination can be connected from two different firewalls as a part of encryption domain?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
AkosBakos
Advisor

Hi @Blason_R 

A hope I understood the situation. My first tip would be the Encrition domains.

Did you added the 10.10.10.0/24 to both remote access ENC_DOM (UK and India)?  

Does SmartLog shows someting when the ping unsuccessful on US site?
Did you double check the Ruleset? 
Are there any used based rule?

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Blason_R
Leader
Leader

Yes it is added for sure and rules are added

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
AkosBakos
Advisor

And there is no user based rules? I mean that somethin is limited in the Access Role object.

And Where is the 10.10.10.10 server located?

----------------
\m/_(>_<)_\m/
0 Kudos
Blason_R
Leader
Leader

Rules are there for Remote Access vpn users. 10.10.10.10 are at remote location where site-site tunels are created from US and india location but not from checkpoint firewall. I have two routers at each locations and route is added on checkpoint i.e. 10.10.10.0/24 NH 192.168.10.2 for US Location and 192.168.20.2 for India lcoation. So that when user dials in they will be routed to router and to 10.10.10.0 network

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
AkosBakos
Advisor

Interesting. Have you done a TCPdump on the US FW? Maybe you will see someting unusal.

Now I'm out of ideas.

----------------
\m/_(>_<)_\m/
0 Kudos
JozkoMrkvicka
Mentor
Mentor

You have overlapping VPN encryption domain for US and India firewalls. If you want to have partially, or fully overlapping VPN encryption domain, you should use MEP feature.

Kind regards,
Jozko Mrkvicka
0 Kudos
Blason_R
Leader
Leader

Wondering MEP canbe configured for Remote access VPN?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Duane_Toler
Advisor

You will need to use Encryption Domains Per Community, and possibly per-peer.  You also need to have specific VPN domains for each gateway's Remote Access community. Like so:

 

The US gateway RA VPN domain, attached to RA community, needs to include the US site networks and the 10.10.10.0/24 network.
The IN gateway RA VPN domain, attached to RA community,  needs to include the IN site networks and the 10.10.10.0/24 network.

The US-to-M site-to-site VPN domain needs to include the US RA-VPN pool and the US site networks.

The IN-to-M site-to-site VPN domain needs to include the IN RA-VPN pool and the IN site networks.

On the Site M router, the crypto ACL/VPN domain attached to the US peer, needs to include the US site and RA-VPN pool.

On the Site M route,  the crypto ACL/VPN domain attached to the IN peer, needs to include the IN site and RA-VPN pool.

In the access rules, you need to be sure you have sufficient rules to allow traffic flowing in all directions.  If you're not using access roles for your users, then you have extra rules to consider.  For the "legacy user access" rules, which are only attached to the RemoteAccess community, your destination column needs to include the Site M network.

For the site-to-site VPN rules, your source column needs to include the IP pools of the two gateways, and the destination column include the Site M network.  You also will need a converse rule.

 

When your client connects a gateway, for Windows run "netstat -r" to make sure the client has the correct routes installed for the 10.10.10.0/24 network.  Now try your ping.

FYI: until the connections are working, using tracerotue to troubleshoot a VPN will be ambiguous at best; unreliable at worst.  I would never rely on traceroute as a troubleshooting command, unfortunately.  Your best troubleshooting is the route table on the client and the logs in SmartConsole or "fw monitor" on the gateway.

This configuration does work; I've done it plenty of times.

0 Kudos
Blason_R
Leader
Leader

This is exactly it is configured and due to overlapping encryption domain traffic is not passing through other peer.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Duane_Toler
Advisor

What is your overlapping encryption domain?  I'm not seeing it on the diagram you posted.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events