Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

Check Point Mobile VPN - No Internet Access

Jump to solution

Good afternoon everyone,

We are configuring our Mobile Access Software blade for the first time. I configured it for use with the windows desktop client "Check Point Mobile", and was able to access internal resources just fine when connected.

The problem we have encountered is that our security requirements dictate no Split Tunneling. I have gone into the global settings and disabled Split Tunneling, but as a side effect the client can no longer access internet resources. Internal resources still work fine, but clients are seemingly prevented from browsing the web.

I am using the "CP_default_Office_Mode_address_pool" to assign IP addresses to VPN clients. However, when I run an ipconifg /all on the client, I see the IPV4 address (172.16.10.1) but the Default Gateway is empty. In our firewall policies, we have a policy to allow CP_default_Office_Mode_address_pool network to talk to our internal LAN, and I also added the CP_default_etc network to our "LANs to Internet" rule. 

I've read a few solutions on this forum that describe similar issues, but nothing I've tried has worked so far. Does anyone have any advice? 

0 Kudos
Reply
1 Solution

Accepted Solutions
5 Replies
Participant

The default gateway being empty for the vpn adapter is an expected behavior. Several things you should be looking out for,

1. If you are publishing DNS servers via the VPN configuration when connected, necessary rules should be in replace to allow DNS communication. If there are no servers published, then users would continue to use servers provided via their home routers (as an e.g.)

2. Check if you have a NAT rule in place in order perform source NAT whenever office mode pool attempts to connect to public IP addresses. Logically you could run a hide NAT rule using the gateway IP address or another available public IP. You may wanna consider no-nat statements to internals depending on how you plan the Source NAT for Internet connectivity.

3. When a user is connected, run route print on their machine to ensure traffic is being forwarded using the VPN adapter.

0 Kudos
Reply
Explorer

Hello! Thank you for your reply.

1. DNS seems to be working correctly. I can flush my client's DNS, then do an nslookup and I get a response from the Domain Controller on site.

2.I'm a bit lost here - how exactly would I go about this?

3. Route print seems to claim the gateway is 172.16.10.1, while the client has an address of 172.16.10.2.

I'm uploading some screenshots of my configuration that may be useful in diagnosing the issue. I'm pretty new to Checkpoint unfortunately.

As far as I can tell, Rule 8 isn't doing much. It was added on a recommendation, but did not resolve the issue.

Any insight would be greatly appreciated!

0 Kudos
Reply
Explorer

PhoneBoy,

Thank you!! That SK was exactly what I needed. My issue was not having the box in step 2.D. checked. As soon as I did that, internet started working on the client.

0 Kudos
Reply
Champion
Champion

In your VPN.PNG rule with RemoteAccess, use the CP_default_office_mode object instead of an Access Role in the Source field of rule 8.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply