Traffic initiated from Lan to VPN Endpoint Client ...

jb8578

Recently migrated from a Cisco ASA to a CP3800 R82. With the Cisco we were able to reach the VPN clients with traffic initiated from the Lan. This isn't happening with the CP. Logs show Lan initiated traffic being encrypted on the gateway, but that is where it ends. I don't have a NAT setup at this time between the VPN subnet and Lan. Not sure if that is the missing piece or it's something else.

Policy rules:

1. source: vpn@any, dest: intLan, VPN: RemoteAccess, Serv&app: Any, Action: Accept
2. source: intLan, dest: Any, VPN: Any, Serv&app: Any, Action: Accept
3. source: VPNsubnet, dest: intLan, VPN: Any, Serv&app: Any, Action: Accept
4. Cleanup rule

Added Rule #3 but didn't make a difference.

If the Endpoint Client only applies policy assigned to the VPN community (RemoteAccess), then that would explain what is happening.

Thanks for any help.

PhoneBoy

By default, this is blocked in Global Properties.
Enable Back Connections and push policy.

jb8578

That is currently enabled.

the_rock

Now that I re-read your post, I believe NAT could be the issue. Make sure vpnsubnet object is natted in smart console, just do behind gateway.

Andy

the_rock

Just to make sure Im not missing anything...are you saying when people connect with VPN client, they cant access anything behind the fw?

Andy

jb8578

VPN clients when connected, can access anything just fine on the network, without a NAT. It's when for example my PC on the Lan tries to connect to a VPN client, that it does not work. Ping, remote desktop, anything....does not work.

the_rock

Ah, got it now...so can you do this when trying on the fw (or if its cluster, whichever is active atm)

fw ctl zdebug + drop | grep x.x.x.x

Just replace x.x.x.x with IP you are trying to connect to

ctrl+c to stop

Andy

jb8578

Nothing showed up in dubug on the cluster. Attached log showing traffic being encrypted to the vpn client.

Checked trac logs on the client, nothing with my source IP in it.

jb8578

Client is E88.30

the_rock

Now that I think about it, lets start with basics, as they say.

1) what subnet is assigned for vpn clients?

2) when connection fails to connect back from lan, what do you see when running route print from your machine?

3) If you run ip r g and then IP of the vpn client, does it show correct info? ie : ip r g 10.10.10.50

4) if no drops are observed, then we can say with high confidence that rules are fine, but to be 100% sure, you can run example 1 from below link on the fw itself, just add dst IP as well, ipp can be 0

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Andy

the_rock

Can you attach full log please? Also, maybe worth trying E89 client version as a test.

Andy

jb8578

Logs attached.

Tried E89 and no change.

the_rock

I meant smart console log.

Are you a member of CheckMates?

Traffic initiated from Lan to VPN Endpoint Client Blocked