Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Visham
Participant
Jump to solution

Policy to control users connecting through VPN

Hello,

My Environment:

Check Point Security Gateway 6600
Gaia R81.20 (Build 627)
IPSec VPN Blade Enabled

I am trying to create a policy to restrict users connecting through VPN to get access to specific Networks and Server:

1. User 1 must access only LAN 2
2. User 2 must only access a specific server in LAN 1
3. User 3 must access LAN 1 and LAN 2

Configuration:

In the "RemoteAccess" VPN Community:

Participating Gateways:
MyGateway - VPN Domain (LAN 1 & LAN 2) in a network group X

Participating User Groups
(User 1, User 2 and User 3) in a user group A


In the Policy:

Source: Access Role containing Group with only User 1
Destination: LAN 2
VPN: RemoteAccess

Source: Access Role containing Group with only User 2
Destination: ServerName
VPN: RemoteAccess

Source: Access Role containing Group with only User 3
Destination: network group X
VPN: RemoteAccess

After creating new policies with the above conditions, the 3 users can access both LAN 1 and LAN 2. It is not working as per policy created. 

I believe as all 3 policies are using "RemoteAccess" Community as VPN, it is overriding the policies?

Thanks for any help.

Visham

1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

You should use Identity Awareness and Access  Roles (sk86441).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

Rules with "Any" in the VPN column will also match rules for VPN (either Site-to-Site or Remote Access).
Which means an entirely different rule could have allowed this traffic.
Review the full log card to see what precise rule number matched the relevant traffic.
A screenshot of these logs (with sensitive data redacted) would be helpful.

Visham
Participant

You are totally right!! Thanks for clearing this out.

An entirely different rule allowed this traffic! 

The issue I am getting for my scenario:

   1. User 1 must access only LAN 2

   2. User 2 must only access a specific server in LAN 1

   3. User 3 must access LAN 1 and LAN 2

 is that when I add the user in the "source", the policy does not work. From the logs the IP of the VPN client is being blocked. When I add "CP_default_Office_Mode_addresses_pool" in the "source", I can control the access in the policy table for my scenario above.

I wanted to control access based on User, but does not seems to work or I am doing something wrong.

G_W_Albrecht
Legend Legend
Legend

You should use Identity Awareness and Access  Roles (sk86441).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Visham
Participant

Thanks for the hint. Issue is addressed 😁

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events