cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Remote Access Communities

Hello,

I am trying to configure a more complicated VPN setup for Remote Access but it doesn't look like it works the way i was expecting. There is only one Remote Access Community. In the manual we have the line: 

"You can also create a new Remote Access VPN Community with a different name."  but there is no instruction on how to do so. If i add new community i have only Star or Mesh options and they look like they are a bit different than the built in Remote Access. 

1. First of all can i have more than one Remote Access Community per Gateway? I can edit VPN Domain per Remote Access but i can't really get how you can create a second Remote Access Community.

2. I know that there is one Office Mode Pool by default per gateway. If i need to allocate two different ip subnets to users connecting to the gateway based on Group/Username can i do it in any other way than stated in  sk33422 (Office Mode IP and ipassignment.conf file)? This one 

3. For non-global split-tunnel we have this sk114882 where you can control tunneling mode based on group membership.

Does anyone have a similar setup where let's say?:

Internal VPN Users can access Full-Tunnel and all internal subnets 

External VPN Users can access Split-Tunnel and some pre-defined internet destinations with VPN GW NAT

All of this on only one Security Gateway

Thank you,

Cezar

0 Kudos
5 Replies
Jerry
Gold

Re: Remote Access Communities

what exactly you're trying to achieve here Cezar? Please explain so we'd have better understanding of your requirements.

Jerry
0 Kudos

Re: Remote Access Communities

I will quote myself:

Internal VPN Users can access Full-Tunnel and all internal subnets and some pre-defined internet destinations with VPN GW NAT.

External VPN Users can access Split-Tunnel and just some pre-defined internet destinations with VPN GW NAT (the specific locations do source filtering and only allow the Customer Companies Subnet to access hence GW has to NAT)

All of this on only one Security Gateway

Internal VPN are employees, External VPN are contractors but everyone will obviously be accessing from the internet.

Re: Remote Access Communities

What about using Remote Access Roles in your Remote Access Control Policy ? You can use different rules to control access of User Groups, see Remote Access VPN Administration Guide R80.20 p. 28f for details !

 

0 Kudos
Admin
Admin

Re: Remote Access Communities

I'm not sure you need multiple remote access communities if you set the policy up correctly.

That said, I seem to recall someone actually managed to create a second Remote Access community (though I'm not sure how):

https://community.checkpoint.com/thread/10089-multiple-remote-access-communities-gw-version 

As far as I know, if you need different pools for different users, you need to edit ipassignment.conf.

Likewise, the other change you mentioned if you want different "split tunnel" settings.

0 Kudos

Re: Remote Access Communities

HI Nickel.

i'm using an R80.10 vsx GW, and an external MGMT, I try so create a new vpn RemoteAccess community, by clicking on the defoult RemoteAccess and then chosing "new".

So I create a new RemoteAccess.. but it don't works....

i can connect to my second vpn gw installed on a second phisical geographic site, only if I add my second vpn gw on the default RemoteAccess community, otherwise i cannot connect.

 

0 Kudos