Thanks for the great inputs you shared., it will definetely be very helpful

Thanks for your contribution Danny Yang 的部落格. it will be very helpful.

can you please share the link you wanted to share in point 4.

Regards

Check what you have defined in your Encryption Domain and your Encryption Domain for Remote Access as well as what is defined in the topology of your gateways.

Additionally, you may be NATting the outbound traffic behind external IP of your internal cluster.

If this is the case, you should stop doing that and route networks to the external cluster unchanged, leaving NAT duties to it.

Check the routing from external cluster to internal network before troubleshooting VPN.

Your Remote Clients are likely getting IPs assigned from the "CP_default_Office_Mode_addresses_pool" network object on the external cluster.

Make sure that it is routed into and out of your internal cluster and networks and is included in the security policy applied to your internal cluster.

Cheers,

Vladimir

Hi Vladmir,

Thanks for your prompt reply and help.

I have changed the office-mode pool address to an address that will not have conflict in our internal network.

I changed the Encryption Domain, and now I get routes to all the operations and Magement IP addresses. Thanks for your help.

I can ping the internal hosts through their O&M interfaces and I get replies successfully. But when I try to RDP an internal server, the connection goes to the Clean-up rule. (see bellow image)

Any thoughts as to how this could be overcomed.

Thanks for your great comments.

Well, besides the obvious, "Have you created the rule permitting RDP from this source to this destination", the "Information field in the event you are showing contains:

Inzone: External

Outzone: External

Please check the topology and verify that the Pool's IP is included in the Internal cluster's "External" manually defined group. That there is a route in Gaia configs of both members pointing Pool's network to your External cluster's vIP and your internal networks are define behind Internal interfaces topology in both, external and Internal clusters objects. 

Hi Vladimir

Everything seems to be working just fine so far. but I wish to ask you one question.

Currently, our clients are being assigned Ips from the office pool defined by me (Eg.10.10.0.0). But when they try to access a resource inside our network, their traffic is being NATed into the External Cluster´s internal VIP(Eg, 10.33.7.1). Is there anyway I can stop this NATing, so that office pool address get into our network without being NATed.

Thanks in advance

Yep.

Create a two NAT rules on top of your NAT policy with:

Pool,Internal_Nets_Group, Any; Original, Original, Original

Internal_Nets_Group, Pool, Any; Original, Original, Original

Provided you have configured routing and topology properly, i.e.:

1. the Pool Network should be defined on External interface of Internal cluster member

2. the route to the Pool should be included in the routing table of the Internal Cluster Members

3. routes from external cluster members to Internal_Nets_Group should be present on the External Cluster Members

4. access control rules permitting this communication should be defined

5. Policy published and installed

Regards,

Vladimir

Your internal GWs should know that the Pool's range is on its external interface.

Your security policy should permit communication between Pool's range and your internal hosts that you are trying to connect to.

Your External Cluster's Internal interface topology should contain the same networks that are defined behind your Internal Cluster's Internal interface (in addition to intermediate network between internal and external clusters), else they will be treated as spoofed.

While you do have route 0 on your internal cluster members that should route your internal hosts to the Pool's range, I'd personally feel better adding explicit route for the Pool, pointing to the External Cluster's internal vIP.

You are quite w:)lcome!

Thank you. 

I have one more question for you before closing this thread.

I dont want our partners to connect to our VPN and get the message that the certificate is not trusted.

Would you kindly recommend which type of certificate has to be paid in order to overcome this situation? Since we have two different sites, do we have to buy two certificates or one should suffice.

Once again, thank you again

Any trusted CA cert would work.

GoDady is now the cheapest and most common source for the certs.

Please follow this post by Gaurav Pandya‌ to issue a CSR for the upload to the CA and the installation of the certificate:

https://community.checkpoint.com/docs/DOC-2732-create-csr-and-importing-third-part-certificate-in-mo... 

Thank you...

If it is not too much trouble, please leave a brief feedback on my LinkedIn page:

https://www.linkedin.com/in/vladimiry/ 

We are ramping-up our services and all positive references are appreciated.

Regards,

Vladimir

Not a trouble at all. Please accept my request so that I can recommend.

https://www.linkedin.com/in/dialungana-malungo-50321998/

Hi Vladimir Yakovlev‌

Everything seems to be working now, but the access to the corporate resources is very slow specially when accessing through a browser.

Any hints on how this issue could be overcome? Or some suggestions to improve the response time?

Thanks in advance

Without knowing what corporate resources you are talking about and their relation to the Check Point infrastructure, it is hard to figure out what may be wrong.

That being said, provided that there are no IP related issues, when in doubt, look at Name Resolution:

And make sure that the Name Server(s) you are specifying are accessible from and via your gateways.

Run nslookups from the gateways themselves, from local network to the same name servers and from VPN client.

Try changing the split tunnel to send all traffic through the VPN:

And keep in mind that if you are using Windows, it has a "DNS Leakage" issues. I.e. when you attempt to access anything by name, it will blast out DNS requests from ALL interfaces, including local Wi-Fi as well as that of the VPN virtual device.

If your "corporate resources" are resolvable from outside as well as from inside by the same names, confusion might ensue.

There are registry settings that could remedy that. See my article on LinkedIn for the link at the end:

DNS Security missconceptions 

Cheers,

Vladimir

Hi Vladimir Yakovlev‌

Thanks for the prompt response.

I am talking in particular about web applications and other platforms accessed via web.

Regards

Hi again Vladimir Yakovlev‌

The picture bellow shows our setup, the RA Access is being terminated on the internal firewall. There is a public IP on the External Firewaal that is being Statically NATed to the Internal Firewall Network C address (NAT performed by the External Firewall).

The RA clients are getting IPs from the defined Office_Mode Pool. The Office_Mode addresses are then being NATed to an Internal Network valid IP address (This NAT is performed by the Internal Firewall)

The DNS servers that are beeing assigned together with the Office_Mode Pool addresses arein the Internal Network.

"make sure that the Name Server(s) you are specifying are accessible from and via your gateways" . Yes, they are accessible, the Names are resolved but it takes some time to be resolved. However, the response time also takes a bit longer even when accessing directly with the IP address of the machine instead of its "name".

"keep in mind that if you are using Windows, it has a "DNS Leakage" issues. I.e. when you attempt to access anything by name, it will blast out DNS requests from ALL interfaces, including local Wi-Fi as well as that of the VPN virtual device". Yes, most of RA clients are windows based machines, in particular windows 10.

"If your "corporate resources" are resolvable from outside as well as from inside by the same names, confusion might ensue." No, most of the corporate resources (web applications and other platforms) are only part of our Intranet and they are not accessible from the outside unless you are connected to the VPN.

Thanks in advance

D

"make sure that the Name Server(s) you are specifying are accessible from and via your gateways" . Yes, they are accessible, the Names are resolved but it takes some time to be resolved. However, the response time also takes a bit longer even when accessing directly with the IP address of the machine instead of its "name".

Please test the access time and the lookup time from your external firewall and post it here.

Additionally, please remind me if your firewalls are single objects of clusters and, if second, if those are HA or VSLS.

We are using a clusterXL in Load-sharing mode.

Could you kindly remind me of any tool or commands that could help me get the lookup time.

Below are results of the query from the gateway with domain prefix properly configured looking up its defined DNS server:

[Expert@GW8010:0]# dig dc16

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp991310011 <<>> dc16
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37009
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dc16. IN A

;; Query time: 1 msec
;; SERVER: 10.101.25.10#53(10.101.25.10)
;; WHEN: Tue Nov 6 09:26:27 2018
;; MSG SIZE rcvd: 22

[Expert@GW8010:0]#

and this is its lookup of the internet host:

[Expert@GW8010:0]# dig www.yahoo.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp991310011 <<>> www.yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 84
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com. IN A

;; ANSWER SECTION:
www.yahoo.com. 211 IN CNAME atsv2-fp-shed.wg1.b.yahoo.com.
atsv2-fp-shed.wg1.b.yahoo.com. 54 IN A 87.248.98.7
atsv2-fp-shed.wg1.b.yahoo.com. 54 IN A 87.248.98.8

;; Query time: 88 msec
;; SERVER: 10.101.25.10#53(10.101.25.10)
;; WHEN: Tue Nov 6 09:29:39 2018
;; MSG SIZE rcvd: 97

[Expert@GW8010:0]#

"Please test the access time and the lookup time from your external firewall and post it here."

I found the command to test the lookup time. But which lookup time you would like to see? from the external to which address/domain name?

To the internal corporate resources from both clusters. 

I will do that. But before that, there is one thing that I dont quiet understand.

The DNS server used by the RA Clients to resolve names is the one configured on the firewall (via GAIA), or the one configure in the Office_mode "Optional Parameter".