This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MarcuzShinz
Collaborator
Collaborator
‎2024-07-23 09:40 PM

Configure NAT port for Remote Access VPN & Mobile Access

Hi Guy!

Currently I have some confusing problems as follows:

1. I am configuring Remote Access on Check Point with Public IP set on Peplink and we change from port 443 -> 8443. This means that Peplink is configuring NAT as follows:

Public IP:8443 -> Check Point:8443
In addition, on Peplink there is also NAT port UDP 4500 & 500 for IPsec.

And this works fine.

2. When we enabled blade Mobile access, the Visitor Mode was forced to change back to 443, and we changed the configuration on Peplink to:
Public IP:8443 -> Check Point:443

However, at this time, Remote Access does not work. I'm not sure what the difference is here. Because it still runs over IPsec. But Mobile Access work ok!

Am I missing any other configuration on Checkpoint?

0 Kudos
17 Replies
PhoneBoy
Admin
Admin
‎2024-07-24 07:43 AM

Unfortunately, if you are using Mobile Access Blade, this is expected behavior.
See: https://support.checkpoint.com/results/sk/sk107852 

MarcuzShinz
Collaborator
Collaborator
‎2024-07-24 06:30 PM
In response to PhoneBoy

I understand your point, about mobile access using port 443, and we did that and it worked as expected. However, what about remote access? I don't know why when I change the NAT in peplink device to "Public IP:8443 -> Check Point:443", the remote access doesn't work anymore.

PhoneBoy
Admin
Admin
‎2024-07-25 06:08 AM
In response to MarcuzShinz

The VPN client expects to use the Visitor Mode port, which is locked to port 443 because you are using Mobile Access Blade.

MarcuzShinz
Collaborator
Collaborator
‎2024-07-25 06:25 AM
In response to PhoneBoy

Currently I have tried, without enable on mobile access, but still configuring NAT according to "Public IP:8443 -> Check Point:443", remote access also does not work.

I see that only when we config NAT with "Public IP:8443 -> Check Point:8443 or Public IP:443 -> Check Point:443" does it work. Just need the port mapping to be the same and it will work.

But I'm not clear because Remote Access on window is IPsec, what does it have to do with 443 or 8443? 

PhoneBoy
Admin
Admin
‎2024-07-25 01:37 PM
In response to MarcuzShinz

Even with an IPsec client, HTTPS is used on initial connection to the Visitor Mode port.
This is by design.

0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-07-26 05:06 AM
In response to PhoneBoy

Dear PhoneBoy,

I mean as image below

TronNQ_0-1721995583403.pngTronNQ_1-1721995591801.png

 

PhoneBoy
Admin
Admin
‎2024-07-26 10:20 AM
In response to MarcuzShinz

That is precisely how I understood the situation.
Doesn't change the answer, unfortunately.
You can try just deleting and recreating the VPN site with the port number 8443: https://support.checkpoint.com/results/sk/sk103107 
However, unless you change the Visitor Mode port to match, this may not work.

mohammed1987
Participant
3 weeks ago
In response to MarcuzShinz

Hi, 

try while executing wizard VPN and when typing the server address or name add the port number like 10.10.10.254:8443

 

0 Kudos
mohammed1987
Participant
3 weeks ago
In response to MarcuzShinz

Hi,

what i have done, 

on smartconsole :

- Deactivate Mobile Access Blade

- Create a new tcp service let say https_VPN_RA as a https protcol listening on 18443

- On the VPN Clients tab, Remote Access, activate "support mode visitor" and choose the service created above. 

- publish and install. 

 

On client side, i do some wireshark capture and i see the first https request generated from Mobile client VPN with port number 18443. 

 

 Let us know if it works for you. 

 

A+

 

mohammed1987
Participant
3 weeks ago
In response to mohammed1987

i also on the client side type the server address or name with the port 18443 let say like 10.10.10.254:18443

MarcuzShinz
Collaborator
Collaborator
‎2024-07-30 12:10 AM

I solved this, with Public IP:8443 <-> Checkpoint:443
Thanks for your help.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-30 07:06 AM
In response to MarcuzShinz

How exactly did you solve it?
By deleting/readding the site using port 8443?

0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-07-30 09:39 PM
In response to PhoneBoy

Dear PhoneBoy,

Not sure what the error is, I tried adding 1 Nat rule and Firewall Rules as below and it worked. 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-31 02:46 PM
In response to MarcuzShinz

No screenshot?

0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-08-01 07:43 AM
In response to PhoneBoy

2024-07-31_113726.png2024-07-31_113717.png

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-01 09:17 AM
In response to MarcuzShinz

Considering the gateway shouldn't even see the public IP here (if I'm understanding your topology correctly), I'm surprised it works.
Can you confirm how the gateway sees the traffic with a tcpdump/fw monitor?

0 Kudos
MarcuzShinz
Collaborator
Collaborator
‎2024-08-01 09:21 AM
In response to PhoneBoy

I think cause in the link selection, I have choosen option Nat-t and enter public IP into it. because I'm using s2s and c2s the same public IP

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events