This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RWILSON7
Explorer
‎2020-09-25 02:36 PM
Jump to solution

Check Point Mobile VPN - No Internet Access

Good afternoon everyone,

We are configuring our Mobile Access Software blade for the first time. I configured it for use with the windows desktop client "Check Point Mobile", and was able to access internal resources just fine when connected.

The problem we have encountered is that our security requirements dictate no Split Tunneling. I have gone into the global settings and disabled Split Tunneling, but as a side effect the client can no longer access internet resources. Internal resources still work fine, but clients are seemingly prevented from browsing the web.

I am using the "CP_default_Office_Mode_address_pool" to assign IP addresses to VPN clients. However, when I run an ipconifg /all on the client, I see the IPV4 address (172.16.10.1) but the Default Gateway is empty. In our firewall policies, we have a policy to allow CP_default_Office_Mode_address_pool network to talk to our internal LAN, and I also added the CP_default_etc network to our "LANs to Internet" rule. 

I've read a few solutions on this forum that describe similar issues, but nothing I've tried has worked so far. Does anyone have any advice? 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-04-18 08:43 PM
In response to PointOfChecking
Jump to solution

For this to work, the sites in question must be added to the Encryption Domain.
Have you done this?

View solution in original post

8 Replies
dumbhead123
Contributor
‎2020-09-26 06:48 AM
Jump to solution

The default gateway being empty for the vpn adapter is an expected behavior. Several things you should be looking out for,

1. If you are publishing DNS servers via the VPN configuration when connected, necessary rules should be in replace to allow DNS communication. If there are no servers published, then users would continue to use servers provided via their home routers (as an e.g.)

2. Check if you have a NAT rule in place in order perform source NAT whenever office mode pool attempts to connect to public IP addresses. Logically you could run a hide NAT rule using the gateway IP address or another available public IP. You may wanna consider no-nat statements to internals depending on how you plan the Source NAT for Internet connectivity.

3. When a user is connected, run route print on their machine to ensure traffic is being forwarded using the VPN adapter.

0 Kudos
RWILSON7
Explorer
‎2020-09-27 06:02 PM
In response to dumbhead123
Jump to solution

Hello! Thank you for your reply.

1. DNS seems to be working correctly. I can flush my client's DNS, then do an nslookup and I get a response from the Domain Controller on site.

2.I'm a bit lost here - how exactly would I go about this?

3. Route print seems to claim the gateway is 172.16.10.1, while the client has an address of 172.16.10.2.

I'm uploading some screenshots of my configuration that may be useful in diagnosing the issue. I'm pretty new to Checkpoint unfortunately.

As far as I can tell, Rule 8 isn't doing much. It was added on a recommendation, but did not resolve the issue.

Any insight would be greatly appreciated!

VPN.PNG
Preview file
10 KB
DNS.PNG
Preview file
8 KB
Lans2Internet.PNG
Preview file
16 KB
Network.PNG
Preview file
22 KB
NAT.PNG
Preview file
27 KB
0 Kudos
RWILSON7
Explorer
‎2020-09-30 10:40 AM
In response to PhoneBoy
Jump to solution

PhoneBoy,

Thank you!! That SK was exactly what I needed. My issue was not having the box in step 2.D. checked. As soon as I did that, internet started working on the client.

0 Kudos
PointOfChecking
Collaborator
‎2021-04-14 09:11 AM
In response to PhoneBoy
Jump to solution

HI,

 

I've followed the SK, but I don't want all traffic to go via office.  There are certain third party websites which we need to connect to and are only allowed to from our office's public IP address.

Other websites we want users to use their own Internet to get out on.

 

For the "Route all traffic to gateway" option in Global Properties, I have set this to "No"

I have ticked the "Allow VPN clients to route traffic through this gateway", in the cluster properties.

I have created all the NAT rules as required

However, I am still unable to access the website.

 

Any ideas?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-18 08:43 PM
In response to PointOfChecking
Jump to solution

For this to work, the sites in question must be added to the Encryption Domain.
Have you done this?

PointOfChecking
Collaborator
‎2021-04-19 12:05 AM
In response to PhoneBoy
Jump to solution

Thanks, that's the key!

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-09-28 06:55 AM
In response to RWILSON7
Jump to solution

In your VPN.PNG rule with RemoteAccess, use the CP_default_office_mode object instead of an Access Role in the Source field of rule 8.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top