Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Ranft
Participant

Firewall rule from remote users to site-to-site network

Hi,

probably super easy, but I don't get it how to implement this rule...

We are talking about an R77.30. I have a VPN community RemoteAccess (like probably everyone here) and another community for an external company we are connected to. Simple Site-to-Site stuff.

I already have a rule allowing my clients from my internal network to communicate with the external servers via this VPN, which works fine. My problem now is, that I have no clue how to set up a rule allowing my remote clients to access this same external network via VPN... I have two (incompatible?) VPNs here, now what am I supposed to set as VPN community? Both? This does not work, I get an error. Only the S2S community, and add my user groups as Source? Also giving me an error.

So what am I missing here?

Thanks already in advance for any helpful hints/answers

Daniel

0 Kudos
6 Replies
Dor_Marcovitch
Advisor

1) you have split tunneling than on the remote access community add the remote s2s vpn network so that the client will know to route the traffic to the VPN, you can identify it by checking the routing table when the VPN is connected.

2) if you have access to the configuration of the remote VPN FW than you will need to add the office mode network to the encryption domain, other option is to configure hide nat on your FW so that traffic from the VPN client will apear to come from the internal ip of your GW. this is fast and good if you dont care for the remote VPN FW to see each client source IP

3) without NAT you might need also to change the S2S community topology to start and allow satalites to talk through the center but i am not sure about it.

0 Kudos
Vladimir
Champion
Champion

I like the #2 approach you are describing. Just wanted to add that the "hide NAT" could be configured as a manual NAT rule to a single IP from one of the existing networks in local encryption domain.

0 Kudos
Daniel_Ranft
Participant

Hi Dor Marcovitch,

thanks for your ideas. Sadly my remote community tells me when I want to add a participating gateway, that this is only allowed for internally managed FWs, so i can strike this out as far as I understand it.

So VPN-wise I'm still unsure how I can solve this. The NAT stuff looks nice so far.

0 Kudos
Daniel_Ranft
Participant

I should also mention that right now the policy is traditional mode, but afaik this is not possible with trad., so I am converting to simplified.

If you have an idea how to solve this in traditional mode, I'm down to try it Smiley Happy

0 Kudos
Dor_Marcovitch
Advisor

It is a good time to convert to simplified.

Dont make any changed to the communities right now.

Anm vy they way you will need to add the office mode network to your encryption domain only on your side, juat for the fw to know to route it to the vpn. But the negotiation with the remote fw will be domt acording to the hide nat

0 Kudos
Daniel_Ranft
Participant

I think I finally got it - A mixture of adding the right network to the right VPN domains and NATing.

Currently I hide the remote users with the gateway IP (usual masquerading) AND using a Static-NAT for the S2S server IP. This NAT IP is in a whole new network, that I have added to the RemoteAccess VPN domain, and I did maybe a few too much rules, but I will see which one of them will be used and which I can delete later on.

Anyway - thanks for the hints Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events