This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jb8578
Explorer
‎2025-08-21 07:49 AM

Traffic initiated from Lan to VPN Endpoint Client Blocked

Recently migrated from a Cisco ASA to a CP3800 R82.   With the Cisco we were able to reach the VPN clients with traffic initiated from the Lan.   This isn't happening with the CP.  Logs show Lan initiated traffic being encrypted on the gateway, but that is where it ends.  I don't have a NAT setup at this time between the VPN subnet and Lan.  Not sure if that is the missing piece or it's something else.

Policy rules:

1. source: vpn@any, dest: intLan, VPN: RemoteAccess, Serv&app: Any, Action: Accept
2. source: intLan, dest: Any, VPN: Any, Serv&app: Any, Action: Accept
3. source: VPNsubnet, dest: intLan, VPN: Any, Serv&app: Any, Action: Accept
4. Cleanup rule

Added Rule #3 but didn't make a difference.

If the Endpoint Client only applies policy assigned to the VPN community (RemoteAccess), then that would explain what is happening.

Thanks for any help.

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2025-08-21 09:58 AM

By default, this is blocked in Global Properties.
Enable Back Connections and push policy.

image.png

0 Kudos
jb8578
Explorer
‎2025-08-21 10:27 AM
In response to PhoneBoy

That is currently enabled. 

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-08-21 11:17 AM
In response to jb8578

Now that I re-read your post, I believe NAT could be the issue. Make sure vpnsubnet object is natted in smart console, just do behind gateway.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-08-21 11:12 AM

Just to make sure Im not missing anything...are you saying when people connect with VPN client, they cant access anything behind the fw?

Andy

0 Kudos
jb8578
Explorer
‎2025-08-21 11:23 AM
In response to the_rock

VPN clients when connected, can access anything just fine on the network, without a NAT.   It's when for example my PC on the Lan tries to connect to a VPN client, that it does not work.   Ping, remote desktop, anything....does not work.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-08-21 11:41 AM
In response to jb8578

Ah, got it now...so can you do this when trying on the fw (or if its cluster, whichever is active atm)

fw ctl zdebug + drop | grep x.x.x.x

Just replace x.x.x.x with IP you are trying to connect to

ctrl+c to stop

Andy

0 Kudos
jb8578
Explorer
‎2025-08-21 12:28 PM
In response to the_rock

Nothing showed up in dubug on the cluster.    Attached log showing traffic being encrypted to the vpn client.  

Checked trac logs on the client, nothing with my source IP in it.

cp-enc.jpg

0 Kudos
jb8578
Explorer
‎2025-08-21 12:31 PM
In response to jb8578

Client is E88.30

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-08-21 12:46 PM
In response to jb8578

Now that I think about it, lets start with basics, as they say.

1) what subnet is assigned for vpn clients?

2) when connection fails to connect back from lan, what do you see when running route print from your machine?

3) If you run ip r g and then IP of the vpn client, does it show correct info? ie : ip r g 10.10.10.50

4) if no drops are observed, then we can say with high confidence that rules are fine, but to be 100% sure, you can run example 1 from below link on the fw itself, just add dst IP as well, ipp can be 0

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-08-21 12:36 PM
In response to jb8578

Can you attach full log please? Also, maybe worth trying E89 client version as a test.

Andy

0 Kudos
jb8578
Explorer
‎2025-08-22 05:50 AM
In response to the_rock

Logs attached.

Tried E89 and no change.

Preview file
2338 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-08-22 06:39 AM
In response to jb8578

I meant smart console log.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events