Re: Traffic initiated from Lan to VPN Endpoint Cli...

jb8578 · ‎2025-08-21

Recently migrated from a Cisco ASA to a CP3800 R82. With the Cisco we were able to reach the VPN clients with traffic initiated from the Lan. This isn't happening with the CP. Logs show Lan initiated traffic being encrypted on the gateway, but that is where it ends. I don't have a NAT setup at this time between the VPN subnet and Lan. Not sure if that is the missing piece or it's something else.

Policy rules:

1. source: vpn@any, dest: intLan, VPN: RemoteAccess, Serv&app: Any, Action: Accept
2. source: intLan, dest: Any, VPN: Any, Serv&app: Any, Action: Accept
3. source: VPNsubnet, dest: intLan, VPN: Any, Serv&app: Any, Action: Accept
4. Cleanup rule

Added Rule #3 but didn't make a difference.

If the Endpoint Client only applies policy assigned to the VPN community (RemoteAccess), then that would explain what is happening.

Thanks for any help.

PhoneBoy · ‎2025-08-21

By default, this is blocked in Global Properties.
Enable Back Connections and push policy.

jb8578 · ‎2025-08-21

That is currently enabled.

the_rock · ‎2025-08-21

Now that I re-read your post, I believe NAT could be the issue. Make sure vpnsubnet object is natted in smart console, just do behind gateway.

Andy

Best,
Andy

the_rock · ‎2025-08-21

Just to make sure Im not missing anything...are you saying when people connect with VPN client, they cant access anything behind the fw?

Andy

Best,
Andy

jb8578 · ‎2025-08-21

VPN clients when connected, can access anything just fine on the network, without a NAT. It's when for example my PC on the Lan tries to connect to a VPN client, that it does not work. Ping, remote desktop, anything....does not work.

the_rock · ‎2025-08-21

Ah, got it now...so can you do this when trying on the fw (or if its cluster, whichever is active atm)

fw ctl zdebug + drop | grep x.x.x.x

Just replace x.x.x.x with IP you are trying to connect to

ctrl+c to stop

Andy

Best,
Andy

jb8578 · ‎2025-08-21

Nothing showed up in dubug on the cluster. Attached log showing traffic being encrypted to the vpn client.

Checked trac logs on the client, nothing with my source IP in it.

jb8578 · ‎2025-08-21

Client is E88.30

the_rock · ‎2025-08-21

Now that I think about it, lets start with basics, as they say.

1) what subnet is assigned for vpn clients?

2) when connection fails to connect back from lan, what do you see when running route print from your machine?

3) If you run ip r g and then IP of the vpn client, does it show correct info? ie : ip r g 10.10.10.50

4) if no drops are observed, then we can say with high confidence that rules are fine, but to be 100% sure, you can run example 1 from below link on the fw itself, just add dst IP as well, ipp can be 0

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Andy

Best,
Andy

the_rock · ‎2025-08-21

Can you attach full log please? Also, maybe worth trying E89 client version as a test.

Andy

Best,
Andy

jb8578 · ‎2025-08-22

Logs attached.

Tried E89 and no change.

the_rock · ‎2025-08-22

I meant smart console log.

Best,
Andy

Are you a member of CheckMates?

Traffic initiated from Lan to VPN Endpoint Client Blocked