Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tropicanaslim
Contributor
Jump to solution

Mobile Access - IP Pool Configuration

Halo All,

I was enable Mobile Access Blade for SSL VPN and follow the wizard.

And this is the traffic : USER (public) —INTERNET— Mobile Access (R81.10) — Core — Internal Apps.

Mobile Access has 2 interface :

  • ETH1 : Public IP (facing to internet + portal access)
  • ETH2 : Local IP (point2point with Core)
  • + IP Pool VPN (default segment IP)

 

And Mobile Access configuration like below :

Enable Office Mode + IP PoolEnable Office Mode + IP Pool

 

 

 

 

 

 

 

 

 

 

My question is, why all Mobile Access user when access to internal apps detected using ETH2 IP (Local IP) not Pool VPN IP? When i check on Mobile Access Log, there are only Public IP information from user.

Based on above information, is my configuration wrong? any additional configuration needed?

 

Thankyou!

1 Solution

Accepted Solutions
Vladimir
Champion
Champion

Both, Automatic NAT and Manual NAT should be used simultaneously. But if the properties of your Office Mode Pool look like the screenshot above, they are misconfigured. Use this one for references:

Office-Mode_Pool-NAT.png

Set the Pool NAT properties as shown above, but add the NonNAT_Rule I have suggested previously.

If you are using Remote access with DNS forwarding to HQ and egress to the Internet resources, you want the pool to be NATed going outside. For access to internal resources, you do not- hence the Non_NAT Rule.

View solution in original post

10 Replies
G_W_Albrecht
Legend Legend
Legend

See Mobile Access R80.10 Administration Guide: Office Mode

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
tropicanaslim
Contributor

Hi @G_W_Albrecht 

Yes i just compared my configuration with admin guide.

On $FWDIR/conf/ipassignment.conf i make sure on this config file there is no configuration related to Local IP and Pool VPN IP. So in my opinion will take over by Manual (using IP Pool), but i dont know why on Application detect the user using ETH2 Local IP, not Pool VPN IP. This one make me confused.

the_rock
Legend
Legend

I believe ipassignment.conf would take precedence.

tropicanaslim
Contributor

Hi @Theo yeah i believe so earlier, but after check the $FWDIR/conf/ipassignment.conf there is no configuration related to IP that i used on the firewal..

This is the capture :

default setting ipassignmentdefault setting ipassignment

the_rock
Legend
Legend

Right, thats what every default ipassignment.conf would look like, so it does not appear it was modified manually. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

RS_Daniel
Advisor

Hello,

I assume you are using SNX or the Mobile Access vpn client on your remote machines in order to get an Office Mode IP address, it would be useful a capture what you see to understand better.  I will assume you are checking only the logs for decrypted packets, maybe there is a NAT causing this behavior. To start you can go to the logs and look for blade:"Mobile Access" search your login and take note of the office mode ip assigned, then look for that IP address and check what you see, if there is a NAT you should find it here.

Regards

Vladimir
Champion
Champion

Likely a NAT issue.

I suggest creating a NO_NAT_for_Remote_Access rule in your NAT policy and configuring it as:

CP_Default_Office_Mode_Pool to Internal_Networks, Original, Original.

Chris_Atkinson
Employee Employee
Employee

Agree, likely your hitting default/atuo NAT rules similar to:

NAT.png

CCSM R77/R80/ELITE
tropicanaslim
Contributor

Hi @Chris_Atkinson and @Vladimir 

Thank you for your reply, currently i dont have access to the Gateway. i will it again on Thursday.

your suggestion is using manual nat or automatic nat? because i did some nat test before, by default VPN-IP-Pool is enable Hide NAT like below, but after i uncheck the NAT option, there is no differentiation. Is it similar with your suggestion using Manual NAT or Automatic NAT?

example - i did uncheck NAT optionexample - i did uncheck NAT option

 

Thanks!

Vladimir
Champion
Champion

Both, Automatic NAT and Manual NAT should be used simultaneously. But if the properties of your Office Mode Pool look like the screenshot above, they are misconfigured. Use this one for references:

Office-Mode_Pool-NAT.png

Set the Pool NAT properties as shown above, but add the NonNAT_Rule I have suggested previously.

If you are using Remote access with DNS forwarding to HQ and egress to the Internet resources, you want the pool to be NATed going outside. For access to internal resources, you do not- hence the Non_NAT Rule.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events