Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RWILSON7
Explorer

Check Point Mobile VPN - No Internet Access

Jump to solution

Good afternoon everyone,

We are configuring our Mobile Access Software blade for the first time. I configured it for use with the windows desktop client "Check Point Mobile", and was able to access internal resources just fine when connected.

The problem we have encountered is that our security requirements dictate no Split Tunneling. I have gone into the global settings and disabled Split Tunneling, but as a side effect the client can no longer access internet resources. Internal resources still work fine, but clients are seemingly prevented from browsing the web.

I am using the "CP_default_Office_Mode_address_pool" to assign IP addresses to VPN clients. However, when I run an ipconifg /all on the client, I see the IPV4 address (172.16.10.1) but the Default Gateway is empty. In our firewall policies, we have a policy to allow CP_default_Office_Mode_address_pool network to talk to our internal LAN, and I also added the CP_default_etc network to our "LANs to Internet" rule. 

I've read a few solutions on this forum that describe similar issues, but nothing I've tried has worked so far. Does anyone have any advice? 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
0 Kudos
PhoneBoy
Admin
Admin

For this to work, the sites in question must be added to the Encryption Domain.
Have you done this?

View solution in original post

8 Replies
dumbhead123
Contributor

The default gateway being empty for the vpn adapter is an expected behavior. Several things you should be looking out for,

1. If you are publishing DNS servers via the VPN configuration when connected, necessary rules should be in replace to allow DNS communication. If there are no servers published, then users would continue to use servers provided via their home routers (as an e.g.)

2. Check if you have a NAT rule in place in order perform source NAT whenever office mode pool attempts to connect to public IP addresses. Logically you could run a hide NAT rule using the gateway IP address or another available public IP. You may wanna consider no-nat statements to internals depending on how you plan the Source NAT for Internet connectivity.

3. When a user is connected, run route print on their machine to ensure traffic is being forwarded using the VPN adapter.

0 Kudos
RWILSON7
Explorer

Hello! Thank you for your reply.

1. DNS seems to be working correctly. I can flush my client's DNS, then do an nslookup and I get a response from the Domain Controller on site.

2.I'm a bit lost here - how exactly would I go about this?

3. Route print seems to claim the gateway is 172.16.10.1, while the client has an address of 172.16.10.2.

I'm uploading some screenshots of my configuration that may be useful in diagnosing the issue. I'm pretty new to Checkpoint unfortunately.

As far as I can tell, Rule 8 isn't doing much. It was added on a recommendation, but did not resolve the issue.

Any insight would be greatly appreciated!

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
RWILSON7
Explorer

PhoneBoy,

Thank you!! That SK was exactly what I needed. My issue was not having the box in step 2.D. checked. As soon as I did that, internet started working on the client.

0 Kudos
PointOfChecking
Contributor

HI,

 

I've followed the SK, but I don't want all traffic to go via office.  There are certain third party websites which we need to connect to and are only allowed to from our office's public IP address.

Other websites we want users to use their own Internet to get out on.

 

For the "Route all traffic to gateway" option in Global Properties, I have set this to "No"

I have ticked the "Allow VPN clients to route traffic through this gateway", in the cluster properties.

I have created all the NAT rules as required

However, I am still unable to access the website.

 

Any ideas?

 

0 Kudos
PhoneBoy
Admin
Admin

For this to work, the sites in question must be added to the Encryption Domain.
Have you done this?

View solution in original post

PointOfChecking
Contributor

Thanks, that's the key!

0 Kudos
Timothy_Hall
Champion
Champion

In your VPN.PNG rule with RemoteAccess, use the CP_default_office_mode object instead of an Access Role in the Source field of rule 8.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos