This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yeruel
Participant
Saturday
Jump to solution

Internal Servers cant access after login the client

Hi Checkmates,

I have created tasks that Remote access VPN client users login to the checkpoint VPN client. 

VPN users can login to the VPN client and can get the IP pool with DNS. 

After login successfully into the VPN client, the can't access the internal servers. Please any help.

1. I have created rule that matches 

Source : Access role (Local users, network vpn Pool IP address),

Destination: Local LAN network, servers

RemoteAccess VPN community enabled.

2. OSPF is enabled between CP firewall and internal LAN switch

3. Static routing to external 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
yesterday
In response to AkosBakos
Jump to solution

Hey @AkosBakos 

I did remote with @yeruel and after checking all the basic settings first (such as IA blade remote access option, OM mode, access role, tested with subnet instead), we checked topology for eth2, which was interface involved and realized that 10.1.0.0/16 subnet was missing, so once we created new group and added 172.20.10.0/24, 172.20.27.0/24 and 10.1.0.0/16 into it, assigned to eth2, pushed policy, all worked fine, no issues, we could ping without even having to reconnect the client.

All these small things, hehe 🙂

Andy

View solution in original post

24 Replies
Chris_Atkinson
Employee Employee
Employee
Saturday
Jump to solution

1. Any drops logs for the traffic flow and what do you see with tcpdump / debugs?

2. What gateway version/JHF and which VPN client version/build?

3. Is it DNS related or does even basic connectivity by IP not work?

CCSM R77/R80/ELITE
0 Kudos
yeruel
Participant
Saturday
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson 

The rule name VPN rule 

Source: access role (name is VPN-remote-access) which contains network pool for VPN client 192.168.253.0/24, and users - local users)

Destination: Local network and servers

VPN: RemoteAccess 

Service : any/ allow 

 

There is ospf routing to the internal network, that's full established. 

The issue is after successful login to the VPN client, users can't access internal network. 

Do you think my rule match is correct? The source: is that possible to use access role?

Note: the source policy is Unified

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Sunday
In response to yeruel
Jump to solution

Please note E88.x is the current client version, E81.20 is end-of-life

Regarding the access role, do you have identity awareness enabled with the remote access identity source selected?

CCSM R77/R80/ELITE
0 Kudos
yeruel
Participant
Sunday
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson 

I will change the VPN client version. and regarding the Identity awarness, yes it has been enabled, and also AD users are login to the Client-less SSLVPN portal for web application access. Every AD users are loggining and accessing the web application servers. The issues is for the client vpn users after login to access internal server. For Clientless, users are accessing the web servers.

0 Kudos
the_rock
Legend
Legend
Sunday
In response to yeruel
Jump to solution

I had that sort of situation happen before with customers and here is BEST way (at least best I found) to make sure if its identity awareness /access role issue. All you do is replace access role as src with say network group, install policy and test. If that works, then you know 100% what is the issue.

Hope that helps.

Andy

0 Kudos
yeruel
Participant
Sunday
In response to the_rock
Jump to solution

Hi @the_rock 

There is new thing, VPN client users with local users after successful connected to VPN, users can access some servers (172.20.10.10, 172.24.2.3 and subnet of 172.24.x.x and 172.20.X.X), but for others 172.17.0.0 and 10.1.0.x network can't access. The policy for VPN rule is the same single rule. 

Source: access role, destination: 172.24.x.x, 172.17.x.x, 172.20.x.x and 10.1.0.x), VPN: remote access, service any any. 

Why 172.17.x.x, 10.1.0x are not accessible? Can you provide best solution?

0 Kudos
the_rock
Legend
Legend
Sunday
In response to yeruel
Jump to solution

We would need to see why it fails...as @Chris_Atkinson asked in the beginning, any relevant logs indicating the reason?

Andy

0 Kudos
the_rock
Legend
Legend
yesterday
In response to yeruel
Jump to solution

Hey @yeruel 

Just thought of something else you can do as a test. Change topology as below and see if that works after pushing the policy.

Andy

 

  • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

Screenshot_1.png

0 Kudos
AkosBakos
Leader Leader
Leader
yesterday
Jump to solution

Can you send screenshots of the drop and the rule which should handle the traffic?

A screenshot would be great, where we can see a successful login in Identity Awareness.

And what is the IP that is received the client from the gateway when the VPN client connects?

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
yeruel
Participant
yesterday
In response to AkosBakos
Jump to solution

detail log drop.PNGHi @AkosBakos 

Attached screenshoot,

1. VPN client users from internet can login using the local users name and connected to the site

2. VPN Pool IP recevied from vpn pool ip 192.168.254.0,

3. Try to access the internal servers from application servers area. Application servers area network is accessiable

4. Server storage and server farm network are not accissiable from vpn client.

5.  From Server storage and server farm (10.1.0.0 and 172.17.0.0 to the outside internet 8.8.8.8 is working fine)OSPF Routing.PNG
Topology.PNG

fron vpn client access 172.20.10.70.PNGIP Recived from vpn client pool.PNGLog from vpn to 10.1.0.1 drop.PNGRule for VPN.PNGVPN Client user cant access 10.1.0.1 and 172.17.0.1.PNG

0 Kudos
AkosBakos
Leader Leader
Leader
yesterday
In response to yeruel
Jump to solution

Hi,

In Access rule 1, the  Remote Access community intentionally not set in the VPN column?

And the most trivial question, but I want to ask: in the VPN-POOL object the subnet mask is configured corretly (or the network)?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
yeruel
Participant
yesterday
In response to AkosBakos
Jump to solution

attached to address your question.

I just tried to add vpn remoteaccess to rule 1, no result.

VPN Pool network.pngVPN Pool network1.pngVPN RULE 1 with RA.png

0 Kudos
the_rock
Legend
Legend
yesterday
In response to yeruel
Jump to solution

Can you do route print from cmd on client PC (one of them) that does not work and compare it with same command on one that does work?

Andy

0 Kudos
AkosBakos
Leader Leader
Leader
yesterday
In response to yeruel
Jump to solution

Wait, this is not a simple drop:

2025-01-13 13_14_12-Re_ Internal Servers cant access after login the c... - Check Point CheckMates.png

"Encryption Failure: according to the policy the packet should not have been decrypted"

Someting is not overlapping?

https://support.checkpoint.com/results/sk/sk64060

Akos

----------------
\m/_(>_<)_\m/
(1)
the_rock
Legend
Legend
yesterday
In response to AkosBakos
Jump to solution

I was just about to give that sk as well. To me, that more seems related to S2S vpn.

Andy

0 Kudos
yeruel
Participant
yesterday
In response to the_rock
Jump to solution

Any one who can assist via virtual meeting, please

0 Kudos
the_rock
Legend
Legend
yesterday
In response to yeruel
Jump to solution

Yea, lets do zoom, message me directly.

Andy

(1)
AkosBakos
Leader Leader
Leader
yesterday
In response to the_rock
Jump to solution

Please update me with the findigs  🙂

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
yesterday
In response to AkosBakos
Jump to solution

Hey @AkosBakos 

I did remote with @yeruel and after checking all the basic settings first (such as IA blade remote access option, OM mode, access role, tested with subnet instead), we checked topology for eth2, which was interface involved and realized that 10.1.0.0/16 subnet was missing, so once we created new group and added 172.20.10.0/24, 172.20.27.0/24 and 10.1.0.0/16 into it, assigned to eth2, pushed policy, all worked fine, no issues, we could ping without even having to reconnect the client.

All these small things, hehe 🙂

Andy

AkosBakos
Leader Leader
Leader
yesterday
In response to the_rock
Jump to solution

you mean that, one network was missing from the AntiSpoofing group (Topology)

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
yesterday
In response to AkosBakos
Jump to solution

Yup!

0 Kudos
yeruel
Participant
yesterday
In response to the_rock
Jump to solution

WOW! You are very nice! everything is fine now!

You deserved 5 stars!

0 Kudos
yeruel
Participant
yesterday
In response to AkosBakos
Jump to solution

I think that's for site to site VPN, I am not going to do S2S VPN. My scope is Remote access from the internet using vpn client.

0 Kudos
AkosBakos
Leader Leader
Leader
yesterday
In response to yeruel
Jump to solution

Yes, I know, but something can overlap with the Remote Access IP range

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events