Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MarcuzShinz
Contributor

Configure NAT port for Remote Access VPN & Mobile Access

Hi Guy!

Currently I have some confusing problems as follows:

1. I am configuring Remote Access on Check Point with Public IP set on Peplink and we change from port 443 -> 8443. This means that Peplink is configuring NAT as follows:

Public IP:8443 -> Check Point:8443
In addition, on Peplink there is also NAT port UDP 4500 & 500 for IPsec.

And this works fine.

2. When we enabled blade Mobile access, the Visitor Mode was forced to change back to 443, and we changed the configuration on Peplink to:
Public IP:8443 -> Check Point:443

However, at this time, Remote Access does not work. I'm not sure what the difference is here. Because it still runs over IPsec. But Mobile Access work ok!

Am I missing any other configuration on Checkpoint?

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

Unfortunately, if you are using Mobile Access Blade, this is expected behavior.
See: https://support.checkpoint.com/results/sk/sk107852 

0 Kudos
MarcuzShinz
Contributor

I understand your point, about mobile access using port 443, and we did that and it worked as expected. However, what about remote access? I don't know why when I change the NAT in peplink device to "Public IP:8443 -> Check Point:443", the remote access doesn't work anymore.

0 Kudos
PhoneBoy
Admin
Admin

The VPN client expects to use the Visitor Mode port, which is locked to port 443 because you are using Mobile Access Blade.

0 Kudos
MarcuzShinz
Contributor

Currently I have tried, without enable on mobile access, but still configuring NAT according to "Public IP:8443 -> Check Point:443", remote access also does not work.

I see that only when we config NAT with "Public IP:8443 -> Check Point:8443 or Public IP:443 -> Check Point:443" does it work. Just need the port mapping to be the same and it will work.

But I'm not clear because Remote Access on window is IPsec, what does it have to do with 443 or 8443? 

0 Kudos
PhoneBoy
Admin
Admin

Even with an IPsec client, HTTPS is used on initial connection to the Visitor Mode port.
This is by design.

0 Kudos
MarcuzShinz
Contributor

Dear PhoneBoy,

I mean as image below

TronNQ_0-1721995583403.pngTronNQ_1-1721995591801.png

 

0 Kudos
PhoneBoy
Admin
Admin

That is precisely how I understood the situation.
Doesn't change the answer, unfortunately.
You can try just deleting and recreating the VPN site with the port number 8443: https://support.checkpoint.com/results/sk/sk103107 
However, unless you change the Visitor Mode port to match, this may not work.

0 Kudos
MarcuzShinz
Contributor

I solved this, with Public IP:8443 <-> Checkpoint:443
Thanks for your help.

0 Kudos
PhoneBoy
Admin
Admin

How exactly did you solve it?
By deleting/readding the site using port 8443?

0 Kudos
MarcuzShinz
Contributor

Dear PhoneBoy,

Not sure what the error is, I tried adding 1 Nat rule and Firewall Rules as below and it worked. 

0 Kudos
PhoneBoy
Admin
Admin

No screenshot?

0 Kudos
MarcuzShinz
Contributor

2024-07-31_113726.png2024-07-31_113717.png

0 Kudos
PhoneBoy
Admin
Admin

Considering the gateway shouldn't even see the public IP here (if I'm understanding your topology correctly), I'm surprised it works.
Can you confirm how the gateway sees the traffic with a tcpdump/fw monitor?

0 Kudos
MarcuzShinz
Contributor

I think cause in the link selection, I have choosen option Nat-t and enter public IP into it. because I'm using s2s and c2s the same public IP

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events