Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gusa2727
Contributor

Traffic between 2 users connected to Remote Access.

Hello,

I have a simple question, is possible to allow 2 users connected through Remote Access in the same Gateway to talk each other? I am trying to ping another Laptop connected in RA but I cannot but I can ping both devices from internal LAN. Thanks!

Best Regards.

0 Kudos
13 Replies
_Val_
Admin
Admin

Technically, with Office Mode IP addresses, VPN routing through GW is possible. However, these IP assignments are dynamic, hence in practice it is really hard to achieve.

So, the practical answer is, most probably no

0 Kudos
Gusa2727
Contributor

Hello,

Thank you for your answer. IPs being assigned dynamically is not a problem, the thing is that we need that two users connected to RA VPN access, should be able to talk using Cisco Jabber, so I need IP connectivity between these users.  I have select the Hub Mode option (Allow VPN Clients to route traffic through this gateway) but it does not work :-(. I think that there should be a solution for this, two remote users being able to call and talk each other using VoIP is not an uncommon scenario.

Best Regards.

0 Kudos
_Val_
Admin
Admin

Check you have specifically allow Jabber connectivity through VPN tunnel. 

0 Kudos
Bob_Bumpus1
Employee
Employee

You probably need to add the Office Mode network to the VPN Domain of the gateway.  If that doesn't help, double check the traffic logs and see if it gives an indication as to why this doesn't work.  

0 Kudos
Gusa2727
Contributor

Yes, I have added the network in the VPN Domain for Remote Access and I even add a rule to permit traffic between remote access pool network and remote access pool network .

The thing is that I have the same scenario on a Cisco ASA and it works, two users connected to RA VPN are able to call each other using Jabber.

Looking the Checkpoint Logs, I cannot find anything related this traffic but I can see that my PC is sending the traffic to the firewall when I try to reach another user connected to RA VPN. I was able to see it using Wireshark. There is something in the Checkpoint which is dropping this traffic silently but I cannot find the reason 😞

Thanks.

 

0 Kudos
Vladimir
Champion
Champion

@Gusa2727 , were you ever able to find a solution to this issue? Looks like one of my clients with Jabber is looking to replace their AnyConnect solution with Check Point RA and I may run into same situation.

Thank you.

0 Kudos
Gareth_somers
Contributor

There should be no issue, we allow Remote Access Clients to communicate with each other (Jabber, Remote access for ICT, etc.) without issue, We use Office Mode to assign IPs and a post connection script to update DNS in AD so they resolve correctly. 

We did see an issue with certain users (less then .2% of the user base) where SecureXL templates weren't being created correctly and Remote Access to Remote Access failed for them (so no ping, Jabber calls, SMB etc.) but access from the LAN worked fine.  Disabling SecureXL (fwaccel off) fixed this and once we moved to R80.40, we were able to reenable SecureXL without issue. 

0 Kudos
Vladimir
Champion
Champion

Thank you @Gareth_somers . Can you clarify few things for me:

1. Are your remote clients using Secure Domain Logon (SDL)?

2. Do you serve them IPs from AD DHCP or the Office mode range?

3. Do you allow Reverse Lookup Zone in AD DNS to use Nonsecure and Secure updates?

 

If it is not too much trouble, can you share the script or drop it to me in DM?

0 Kudos
Gareth_somers
Contributor

1. Are your remote clients using Secure Domain Logon (SDL)?

No - We decided against this as a security risk, we didn't want the VPN up before the user was logged in.  Instead we use User Certs stored in their personal store so in order to connect to the network they must first authenticated.

2. Do you serve them IPs from AD DHCP or the Office mode range?

Originally we used DHCP from AD, however we do not have AD in the Datacenter that the Remote Access firewalls are located in and this meant traversing other firewalls and a VPN tunnel in order to get IPs. Given the dependency on this we moved to the firewalls providing IPs locally which meant that we had to add logic via a post connect script to update DNS (only secure DNS changes are allowed in our AD) and for updating GPOs.

3. Do you allow Reverse Lookup Zone in AD DNS to use Nonsecure and Secure updates?

Secure updates as above, this is handled via a script run post connection from the end users device.

0 Kudos
Ave_Joe
Contributor

The post connection script may be just the ticket I am looking for to address DNS inconsistency that has showed it's head from time to time in my environment.  Are you willing to share a 'cleaned' version of the script?

0 Kudos
Gareth_somers
Contributor

Sure I may have made it sound more impressive than it actually is, the DNS update is just done via a call to gpupdate:

@echo off
echo **************************************
echo **************************************
echo ** **
echo ** Please wait while we connect you **
echo ** **
echo **************************************
echo **************************************
ping 127.0.0.1 -n 5 > nul
gpupdate /wait:0
WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000003}" /NOINTERACTIVE
@echo on
exit

Ave_Joe
Contributor

I would start by checking the route table on RA client PC's when connected to RA VPN.  If the route to the Office Mode network is there then I suspect the voice issue may be NAT related.  I would look to see if there is a no-NAT rule for the Office Mode IP's.

 

Fernandosilva
Explorer

I have in our environment this scenario, we use VPN Client 84.00 and Cisco Jabber, we call eatch other withou problem. Send me an e-mail, we can make a remote session in webex.

fernando.bvds@gmail.com

0 Kudos