This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Glenmark_Impex
Contributor
Tuesday

Different Routes for Remote VPN clients

Hi everyone,

We have task to propagate different routes for Remote VPN clients. Is it possible?

Environment:

Checkpoint FW - R81.10 Jumbo Hotfix Take 181

Remote access VPN clients Checkpoint Mobile VPN E88.10 with LDAP Authentication.

Remote clients receive from Checkpoint GW  Office mode manually defined ip addresses.

Scenario:

Only specific Remote VPN client should be able to reach not only local subnets but also some specific subnets which located behind s-2-s VPN tunnel in different location.

Traffic flow diagram for specific Remote VPN clients.

Remote Client <-> Checkpoint GW (local int) <-> (local int) VPN GW <-> VPN GW <-> dst subnets.

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
Tuesday

Yes, you will need to add the relevant subnets to the RemoteAccess Encryption Domain.
Whether the client has access to these subnets is a function of the defined Access Policy, but all clients will receive the routes.

Glenmark_Impex
Contributor
Tuesday
In response to PhoneBoy

Dear PhoneBoy.

Thank you for reply but we need add subnets ONLY for specific Remote VPN clients (AD accounts). 

May be it will be possible via some "routing tables" config file on client side or something similar with TRAC file on FW side?

0 Kudos
AkosBakos
MVP Silver
MVP Silver
Wednesday
In response to Glenmark_Impex

Hi @Glenmark_Impex 

I'm not 100% sure this will be a solution, but I would like to share with you. 

As I see you are using a VPN pool for the RA cliens IP-s.

First, consider to use ipassingment.conf ( $FWDIR/conf/ipassignment.conf), define a smaller network from the VPN pool for a specific AD group.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

This allows you to handle the client separetly in the rulebase. "A" group reaches the internet, and the "B" not.

I hope it helps,

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to AkosBakos

@Glenmark_Impex is explicitly asking about the routes received on the client.
Unfortunately, this is not customizable on a per-user/group basis.

0 Kudos
Glenmark_Impex
Contributor
yesterday
In response to AkosBakos

Hi AkosBakos

Sorry but no, only specific clients "should know" about destination subnets.... Also we are considering the possibility to use MEP or just run another one Checkpoint with Remote VPN blade  

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events