This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2020-10-07 03:39 AM
Jump to solution

Route Incoming external traffic over VPN

Hi, 

 

I am struggling with routing external incoming traffic that is coming from the External Interface via a VPN tunnel?

The traffic flow should be:

External IP --> External GW published IP  --> Static NAT to internal dst IP --> VPN Tunnel --> dst 

 

To explain shortly - incoming traffic from external IP is hitting the GW published IP (via Proxy ARP) and NATed to an internal address which should be routed via the VPN.

I added the External IP address to the VPN domain but still the Traffic is not routed over the VPN but going out back via the external interface 

There is a static NAT to translate the external dst IP address to the Internal dst IP address which should go to the VPN 

External IP --> External GW  IP 

External IP --> Internal dst IP  

however the traffic goes back via the External Interface 

Any SK or a idea how to tackle this issue?

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-10-10 08:16 AM
In response to Shahar_Grober
Jump to solution

If it’s from a specific IP in the encryption domain, 
it sounds like a bug.
You might want to engage with the TAC.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-10-09 04:19 PM
Jump to solution

The decision to encrypt is based on the source IP being in the encryption domain, which I'm guessing is not the case here.
Perhaps with a route-based VPN and a null encryption domain, you could make this work.

Shahar_Grober
Advisor
‎2020-10-10 03:28 AM
In response to PhoneBoy
Jump to solution

Hi PB, 

The traffic is coming from external interface and although I added the External Incoming IP to the VPN domain it is still not routed via the tunnel. I guess the VPN topology doesn't include external address for a reason (or a bug in the VPN topology calculation). I tried to find any SK about routing external traffic via internal VPN but couldn't find anything useful

I was trying to avoid route-based VPN but I guess this is the only way so I will have a look at it 

Thanks for your answer 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-10 08:16 AM
In response to Shahar_Grober
Jump to solution

If it’s from a specific IP in the encryption domain, 
it sounds like a bug.
You might want to engage with the TAC.

0 Kudos
Wille010
Contributor
‎2021-08-25 02:54 AM
In response to Shahar_Grober
Jump to solution

Hello Shahar,

Did you solved this by using route-based VPN or did you still used domain-based for this?

Tia

Lesley

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events