Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NorthernNetGuy
Advisor
Jump to solution

Exclude single IP from Peer VPN IP range

I have a VPN community for a B2B connection set up, with their VPN Domain containing a /21, that all works fine.

 

There is 1 IP address in that /21 that is for a public website that we don't want to to route over the VPN, and I'm trying to figure out how to exclude it from being routed over that VPN. 

 

I've tried setting up a NAT rule to translate the source to an different IP than the one used for that community, but it still attempts to route over the VPN.

 

I've also tried setting up a static route, setting the next hop to the IP used as our default gateway.

 

How would I exclude an address from being routed thru that domain?

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion
9 Replies
Danny
Champion Champion
Champion
NorthernNetGuy
Advisor

Thanks Danny! The SK for crypt.def was a little daunting and not clear how to specifically exclude an address, but that posts solution explains it very well!

0 Kudos
NorthernNetGuy
Advisor

I also just discovered that exclusion group objects exist. Do you know if using an exclusion group would cause any issues if I use that as the Satellite VPN domain?

It would be a simpler approach and be easier to share with my other techs.

0 Kudos
Danny
Champion Champion
Champion

As this article describes, groups with exclusions may have issues when used with VPN encryption domains. It might work, just test it and keep a close eye on the calculated result. I understand you are looking for an easy solution. However, your task it not easy by design. You could also create a group containing multiple network objects describing your /21 network without that single IP address in order to use that manually crafted network group as your new encryption domain. However, keep in mind Check Point performs supernetting by default, so you might still end up with a /21 encryption domain. That's why crypt.def is your friend.

NorthernNetGuy
Advisor

I really appreciate the in depth response! I'll experiment with the exclusion group, but it looks like I'll likely need to go with defining an exclusion within crypt.def. 

I'll try and update this post with my results once I've tested, for anyone that might stumble upon this post in the future.

0 Kudos
AleLovaz82
Contributor

I use this
> You could also create a group containing multiple network objects describing your /21 network without that single IP address in >order to use that manually crafted network group as your new encryption domain.

+ force the firewall to use a specific subnet editing user.def.FW1

0 Kudos
AleLovaz82
Contributor

TAC told me that exclusion group as encryption domain are not supported even if you can use them from Smart Console

>- Exchanged the network group with exclusions(not supported in the encryption domain) with a standard network group

0 Kudos
PhoneBoy
Admin
Admin

Exclusion groups ARE supported for Remote Access VPN: https://support.checkpoint.com/results/sk/sk167000
However, that’s relatively recent and for the specific use case it was designed for (Remote Access).

0 Kudos
AleLovaz82
Contributor

ok , i used them in s2s vpn 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events