This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
13 hours ago

Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Hi Team,

Can someone please help me with my scenario?

  1. I have two firewalls one in US and other is in India.
  2. Both the firewalls are being managed by same mgmt server which is in India.
  3. US firewall is managed with Public IP address
  4. Remote access VPNs are configured on both the firewalls having office mode pools for india is 172.16.10.0/24 and US is 172.16.8.0/24
  5. There is a separate VPN device in place which has a tunnel configured with say location M, eventually both the locations need to reach 10.10.10.0/24
  6. Now issue is even users working from home dial in US FW and India FW and they wanted to connect to servers from 10.10.10.0/24.
  7. I did add 10.10.10.0/24 in encryption domain so that users when they login can access the servers.
  8. However users when they connect to India firewall they are able to access the network without issue.

But if the same user connect to US firewalls, they get a IP address from 172.16.8.0 office mode pool but unable to ping. When I do tracert to 10.10.10.10 it still shows India firewall as first hop and it does not route it through US firewall.

I have enclosed my scenario, can someone please help me on this?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
62 KB
0 Kudos
8 Replies
Blason_R
Leader
Leader
13 hours ago

Is this achievable? I mean same destination can be connected from two different firewalls as a part of encryption domain?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
AkosBakos
Advisor
13 hours ago

Hi @Blason_R 

A hope I understood the situation. My first tip would be the Encrition domains.

Did you added the 10.10.10.0/24 to both remote access ENC_DOM (UK and India)?  

Does SmartLog shows someting when the ping unsuccessful on US site?
Did you double check the Ruleset? 
Are there any used based rule?

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Blason_R
Leader
Leader
13 hours ago
In response to AkosBakos

Yes it is added for sure and rules are added

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
AkosBakos
Advisor
13 hours ago
In response to Blason_R

And there is no user based rules? I mean that somethin is limited in the Access Role object.

And Where is the 10.10.10.10 server located?

----------------
\m/_(>_<)_\m/
0 Kudos
Blason_R
Leader
Leader
13 hours ago
In response to AkosBakos

Rules are there for Remote Access vpn users. 10.10.10.10 are at remote location where site-site tunels are created from US and india location but not from checkpoint firewall. I have two routers at each locations and route is added on checkpoint i.e. 10.10.10.0/24 NH 192.168.10.2 for US Location and 192.168.20.2 for India lcoation. So that when user dials in they will be routed to router and to 10.10.10.0 network

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
AkosBakos
Advisor
12 hours ago
In response to Blason_R

Interesting. Have you done a TCPdump on the US FW? Maybe you will see someting unusal.

Now I'm out of ideas.

----------------
\m/_(>_<)_\m/
0 Kudos
JozkoMrkvicka
Mentor
Mentor
10 hours ago

You have overlapping VPN encryption domain for US and India firewalls. If you want to have partially, or fully overlapping VPN encryption domain, you should use MEP feature.

Kind regards,
Jozko Mrkvicka
0 Kudos
Blason_R
Leader
Leader
an hour ago
In response to JozkoMrkvicka

Wondering MEP canbe configured for Remote access VPN?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events