This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
oliver_gao36
Participant
‎2021-01-08 08:54 AM

Configuration for Remote access VPN

Hi all checkmates,

i am looking for a good example configuration guide on how to configure remote access VPN, though i found this guide can help me "https://community.checkpoint.com/t5/Remote-Access-VPN/Quick-Primer-on-How-to-Configure-your-Gateway-...

but i have some other questions or conditions which may need to take consider, here is the scenario:

persume that i have 5 public ip addresses from ISP, from 111.222.333.101 to 111.222.333.105, ISP gateway is 111.222.333.100, and i have only one cable which is connecting with the ISP provided device, i want use 111.222.333.101 for the office internet IP while using 111.222.333.105 as the remote access VPN used IP, and i want to use 10.255.100.0/24 for VPN IP pool, internal networks are 10.255.101.0/24, 10.255.102.0/24, my site also have some other offices which can be routed with MPLS, but their network ip addresses are also within Class A. one demand is when external users dialed in with RA vpn, they need to visit not only the local resources, but also other sites' resources through my local MPLS, my question is: besides the link which can guide you to setup something, are there any other important things or setup steps which i have to consider??? appologize that i am a new CP guy, i may miss something or consideration is not so perfect, but your suggestions are very appreciated.

thank you all in advance!

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2021-01-08 05:36 PM

Why do you want to terminate the VPN on a different IP?
Also do you really want to use SecuRemote, which has several significant limitations compared to Check Point Mobile or Endpoint Security VPN?

In any case your RemoteAccess encryption domain will need to include the IP addresses reachable via MPLS.

oliver_gao36
Participant
‎2021-01-08 05:51 PM
In response to PhoneBoy

Hi phoneboy,

due to some security reasons, we just don't want to use the Internet Ip for VPN access at the same time. actually i tested to merge internet ip and VPN ip into the same, the result was good, but if we move VPN ip to another, then we met an issue, that's why i opened another case in CheckMate. btw is there any solution which can let VPN ip perform as a dummy ip but VPN will actually go throuth the real internet IP

PhoneBoy
Admin
Admin
‎2021-01-08 09:11 PM
In response to oliver_gao36

Did you change the link selection IP?

oliver_gao36
Participant
‎2021-01-11 05:01 AM
In response to PhoneBoy

yes, i did. i changed it to use NATed IP for ipsec vpn.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-11 06:13 PM
In response to oliver_gao36

That's how you make the VPN use a different IP...using Link Selection with the specific IP address.

0 Kudos
the_rock
Champion
Champion
‎2021-01-08 05:48 PM

Good point, dont use secure remote, its very limited compared to endpoint or sandblast. Phoneboy is correct, remote access domain would need to have those IPs. Also, would you happen to have simple diagram or drawing of what you are trying to reach, I think it would help.

Andy

oliver_gao36
Participant
‎2021-01-08 06:10 PM
In response to the_rock

Hi ottawacanada150

here is a draft of the topology

Preview file
38 KB
oliver_gao36
Participant
‎2021-01-08 06:23 PM
In response to the_rock

we can also consider to use endpoint security vpn, do u have any best practise?

we only need the VPN scope external PCs can access local resources and/or traverse MPLS to visit other sites' resources.

0 Kudos
the_rock
Champion
Champion
‎2021-01-08 06:28 PM

Ok...so in that case, yoy need remote access domain to include those IPs for access and then rule so they can traverse to a different network. Though, in reality, just make sure the rule for client to site vpn has remote access community in the rule.