This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Remi_Richer
Explorer
‎2020-03-13 11:10 AM

Mobile Access on separate external interface

Hello Checkmates,

I need some help with a new VPN setup we're trying to implement. I need to be using a second external interface leading to a second distinct ISP (eth1). We're trying to set Mobile Access on that interface for bandwidth reasons. My issue currently is that when we try to reach the portal, traffic comes in on eth1 but the http responses are going outbound on the other external interface/ISP (eth4) because of the default route and makes it impossible to access remotely (the portal works fine when accessing from internal networks).

Is there a way to get around this? So far I've looked at the documentation on ISP-Redundancy which doesn't seem to apply at all for my scenario. I also looked into Policy-Based-Routing but couldn't make it work; I think it's just not meant for what I'm trying to do, unless I'm implementing it wrong.

Any help is greatly appreciated.

0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2020-03-14 05:01 AM

Do you have the Support connectivity enhancement for gateways with multiple external interfaces option set?

VSX may also be an option depending on your intended use cases for the second ISP link.

Another would be to implement an external router for handling that element.

CCSM R77/R80/ELITE
0 Kudos
Remi_Richer
Explorer
‎2020-03-16 10:42 AM
In response to Chris_Atkinson

Hi Chris, thanks for the reply.
We do have the 'Support connectivity enhancement for gateways with multiple external interfaces' option checked but the issue still remains.
Could you elaborate a little on how I could handle this with an external router?
The use case is quite simple, we want the 'Mobile Access' tunneled traffic to be on the second ISP link, to liberate some bandwidth on the main ISP connection where we're already at maximum capacity. There wouldn't be anything other than that VPN traffic on that link.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-16 06:42 PM
In response to Remi_Richer

I'm guessing this is how to solve the issue.
In the Gateway Object, go to IPSec VPN > Link Selection, hit the Setup button under Outgoing Route Selection and select Reply from Same Interface.
Install policy.

Screen Shot 2020-03-16 at 6.40.12 PM.png

0 Kudos
Cesar_Santos
Explorer
‎2020-03-17 04:42 AM
In response to PhoneBoy

Hi,

 

I'm having the exact same issue.

 

Tried your suggestion, but did not worked.

 

Also, I thing is important to mention sk in https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut.... Also tried that, but no luck.

 

Anymore ideas?

 

Regards,

César Sant 

0 Kudos
Remi_Richer
Explorer
‎2020-03-18 08:33 AM
In response to PhoneBoy

That didn't work for me, unfortunately. We are using the SSL network Extender currently so I don't think IPSec Link Selection impacts anything here. Maybe that could work with one of the VPN clients (so far I tried 'Endpoint Security VPN' but it's the same issue, it couldn't even create the site; 'site is not responding). We'll probably deploy a 2200 gateway we have lying around and handle this ISP separately with it. I can't find any built-in settings to make this work otherwise.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events