- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
We have s2s (terminated on FWext) to mng network in customer environment and we can connect to all assets (include both MDSs and CMAs not related to FWext) except both CMAs (from domain where FWext is used in policy).
I tried to debug the issue and I found that the return packet from CMA goes to FWext, but FWext used routing table and send it to some interface not into s2s tunnel.
Because it is not a critical problem for us, I do not want to open SR on it and rather try to find a solution by digging deeper.
So mine question, do you have any idea where to start (I think it will be matther of kernel debug commands but I'm not sure).
I'd echo @Maarten_Sjouw 's recommendation to establish a NAT for your remote gateway to connect too. We do that for a number of gateways that are out in the field and it works well.
Make sure your NAT device also NAT's your CMA's outbound traffic to the correct IP as well. That'll help for writing firewall rules on both sides to limit communications from undesired sources.
And if you have a separate MLM then you'll need to setup a NAT for that too.
Thanks @Tommy_Forrest and @Maarten_Sjouw.
We use access through NAT for many customers too, but in this case I would prefer s2s. But it looks like, I will be disappointed. 🙂
You could just involve TAC for a resolution...
Michal,
at first I really recommend to follow the suggestion of @Tommy_Forrest and @Maarten_Sjouw. Using NAT is the best way, connection is secured and encrypted and simple to debug in case of troubleshooting....
To your configuration:
Because the ports for management traffic are default excluded from VPN you have to change this behaviour.
Follow Management traffic sent as clear text even when configured to be sent via VPN tunnel
to send management traffic over VPN.
Wolfgang
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY