This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tropicanaslim
Participant
‎2022-07-05 07:46 AM

Mobile Access - IP Pool Configuration

Jump to solution

Halo All,

I was enable Mobile Access Blade for SSL VPN and follow the wizard.

And this is the traffic : USER (public) —INTERNET— Mobile Access (R81.10) — Core — Internal Apps.

Mobile Access has 2 interface :

  • ETH1 : Public IP (facing to internet + portal access)
  • ETH2 : Local IP (point2point with Core)
  • + IP Pool VPN (default segment IP)

 

And Mobile Access configuration like below :

Enable Office Mode + IP PoolEnable Office Mode + IP Pool

 

 

 

 

 

 

 

 

 

 

My question is, why all Mobile Access user when access to internal apps detected using ETH2 IP (Local IP) not Pool VPN IP? When i check on Mobile Access Log, there are only Public IP information from user.

Based on above information, is my configuration wrong? any additional configuration needed?

 

Thankyou!

Labels
0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2022-07-06 08:18 AM
In response to tropicanaslim

Jump to solution

Both, Automatic NAT and Manual NAT should be used simultaneously. But if the properties of your Office Mode Pool look like the screenshot above, they are misconfigured. Use this one for references:

Office-Mode_Pool-NAT.png

Set the Pool NAT properties as shown above, but add the NonNAT_Rule I have suggested previously.

If you are using Remote access with DNS forwarding to HQ and egress to the Internet resources, you want the pool to be NATed going outside. For access to internal resources, you do not- hence the Non_NAT Rule.

View solution in original post

10 Replies
G_W_Albrecht
Legend
Legend
‎2022-07-05 07:55 AM

Jump to solution

See Mobile Access R80.10 Administration Guide: Office Mode

CCSE CCTE SMB Specialist
tropicanaslim
Participant
‎2022-07-05 08:47 AM
In response to G_W_Albrecht

Jump to solution

Hi @G_W_Albrecht 

Yes i just compared my configuration with admin guide.

On $FWDIR/conf/ipassignment.conf i make sure on this config file there is no configuration related to Local IP and Pool VPN IP. So in my opinion will take over by Manual (using IP Pool), but i dont know why on Application detect the user using ETH2 Local IP, not Pool VPN IP. This one make me confused.

0 Kudos
the_rock
Champion
Champion
‎2022-07-05 08:56 AM
In response to tropicanaslim

Jump to solution

I believe ipassignment.conf would take precedence.

0 Kudos
tropicanaslim
Participant
‎2022-07-05 09:19 AM
In response to the_rock

Jump to solution

Hi @Theo yeah i believe so earlier, but after check the $FWDIR/conf/ipassignment.conf there is no configuration related to IP that i used on the firewal..

This is the capture :

default setting ipassignmentdefault setting ipassignment

0 Kudos
the_rock
Champion
Champion
‎2022-07-06 11:50 AM
In response to tropicanaslim

Jump to solution

Right, thats what every default ipassignment.conf would look like, so it does not appear it was modified manually. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
RS_Daniel
Advisor
‎2022-07-05 09:45 AM

Jump to solution

Hello,

I assume you are using SNX or the Mobile Access vpn client on your remote machines in order to get an Office Mode IP address, it would be useful a capture what you see to understand better.  I will assume you are checking only the logs for decrypted packets, maybe there is a NAT causing this behavior. To start you can go to the logs and look for blade:"Mobile Access" search your login and take note of the office mode ip assigned, then look for that IP address and check what you see, if there is a NAT you should find it here.

Regards

0 Kudos
Vladimir
Champion
Champion
‎2022-07-05 08:03 PM

Jump to solution

Likely a NAT issue.

I suggest creating a NO_NAT_for_Remote_Access rule in your NAT policy and configuring it as:

CP_Default_Office_Mode_Pool to Internal_Networks, Original, Original.

Chris_Atkinson
Employee
Employee
‎2022-07-05 08:31 PM
In response to Vladimir

Jump to solution

Agree, likely your hitting default/atuo NAT rules similar to:

NAT.png

0 Kudos
tropicanaslim
Participant
‎2022-07-06 08:06 AM
In response to Chris_Atkinson

Jump to solution

Hi @Chris_Atkinson and @Vladimir 

Thank you for your reply, currently i dont have access to the Gateway. i will it again on Thursday.

your suggestion is using manual nat or automatic nat? because i did some nat test before, by default VPN-IP-Pool is enable Hide NAT like below, but after i uncheck the NAT option, there is no differentiation. Is it similar with your suggestion using Manual NAT or Automatic NAT?

example - i did uncheck NAT optionexample - i did uncheck NAT option

 

Thanks!

0 Kudos
Vladimir
Champion
Champion
‎2022-07-06 08:18 AM
In response to tropicanaslim

Jump to solution

Both, Automatic NAT and Manual NAT should be used simultaneously. But if the properties of your Office Mode Pool look like the screenshot above, they are misconfigured. Use this one for references:

Office-Mode_Pool-NAT.png

Set the Pool NAT properties as shown above, but add the NonNAT_Rule I have suggested previously.

If you are using Remote access with DNS forwarding to HQ and egress to the Internet resources, you want the pool to be NATed going outside. For access to internal resources, you do not- hence the Non_NAT Rule.