This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Ranft
Participant
‎2018-10-31 09:58 AM

Firewall rule from remote users to site-to-site network

Hi,

probably super easy, but I don't get it how to implement this rule...

We are talking about an R77.30. I have a VPN community RemoteAccess (like probably everyone here) and another community for an external company we are connected to. Simple Site-to-Site stuff.

I already have a rule allowing my clients from my internal network to communicate with the external servers via this VPN, which works fine. My problem now is, that I have no clue how to set up a rule allowing my remote clients to access this same external network via VPN... I have two (incompatible?) VPNs here, now what am I supposed to set as VPN community? Both? This does not work, I get an error. Only the S2S community, and add my user groups as Source? Also giving me an error.

So what am I missing here?

Thanks already in advance for any helpful hints/answers

Daniel

0 Kudos
6 Replies
Dor_Marcovitch
Advisor
‎2018-10-31 03:15 PM

1) you have split tunneling than on the remote access community add the remote s2s vpn network so that the client will know to route the traffic to the VPN, you can identify it by checking the routing table when the VPN is connected.

2) if you have access to the configuration of the remote VPN FW than you will need to add the office mode network to the encryption domain, other option is to configure hide nat on your FW so that traffic from the VPN client will apear to come from the internal ip of your GW. this is fast and good if you dont care for the remote VPN FW to see each client source IP

3) without NAT you might need also to change the S2S community topology to start and allow satalites to talk through the center but i am not sure about it.

0 Kudos
Vladimir
Champion
Champion
‎2018-10-31 06:14 PM
In response to Dor_Marcovitch

I like the #2 approach you are describing. Just wanted to add that the "hide NAT" could be configured as a manual NAT rule to a single IP from one of the existing networks in local encryption domain.

0 Kudos
Daniel_Ranft
Participant
‎2018-11-01 01:52 AM
In response to Dor_Marcovitch

Hi Dor Marcovitch,

thanks for your ideas. Sadly my remote community tells me when I want to add a participating gateway, that this is only allowed for internally managed FWs, so i can strike this out as far as I understand it.

So VPN-wise I'm still unsure how I can solve this. The NAT stuff looks nice so far.

0 Kudos
Daniel_Ranft
Participant
‎2018-11-01 01:55 AM

I should also mention that right now the policy is traditional mode, but afaik this is not possible with trad., so I am converting to simplified.

If you have an idea how to solve this in traditional mode, I'm down to try it Smiley Happy

0 Kudos
Dor_Marcovitch
Advisor
‎2018-11-01 02:21 AM

It is a good time to convert to simplified.

Dont make any changed to the communities right now.

Anm vy they way you will need to add the office mode network to your encryption domain only on your side, juat for the fw to know to route it to the vpn. But the negotiation with the remote fw will be domt acording to the hide nat

0 Kudos
Daniel_Ranft
Participant
‎2018-11-01 05:37 AM

I think I finally got it - A mixture of adding the right network to the right VPN domains and NATing.

Currently I hide the remote users with the gateway IP (usual masquerading) AND using a Static-NAT for the S2S server IP. This NAT IP is in a whole new network, that I have added to the RemoteAccess VPN domain, and I did maybe a few too much rules, but I will see which one of them will be used and which I can delete later on.

Anyway - thanks for the hints Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events