This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cezar_varlan1
Collaborator
‎2018-12-19 02:09 AM

Remote Access Communities

Hello,

I am trying to configure a more complicated VPN setup for Remote Access but it doesn't look like it works the way i was expecting. There is only one Remote Access Community. In the manual we have the line: 

"You can also create a new Remote Access VPN Community with a different name."  but there is no instruction on how to do so. If i add new community i have only Star or Mesh options and they look like they are a bit different than the built in Remote Access. 

1. First of all can i have more than one Remote Access Community per Gateway? I can edit VPN Domain per Remote Access but i can't really get how you can create a second Remote Access Community.

2. I know that there is one Office Mode Pool by default per gateway. If i need to allocate two different ip subnets to users connecting to the gateway based on Group/Username can i do it in any other way than stated in  sk33422 (Office Mode IP and ipassignment.conf file)? This one 

3. For non-global split-tunnel we have this sk114882 where you can control tunneling mode based on group membership.

Does anyone have a similar setup where let's say?:

Internal VPN Users can access Full-Tunnel and all internal subnets 

External VPN Users can access Split-Tunnel and some pre-defined internet destinations with VPN GW NAT

All of this on only one Security Gateway

Thank you,

Cezar

0 Kudos
8 Replies
Jerry
Mentor
Mentor
‎2018-12-19 02:15 AM

what exactly you're trying to achieve here Cezar? Please explain so we'd have better understanding of your requirements.

Jerry
0 Kudos
cezar_varlan1
Collaborator
‎2018-12-19 02:56 AM
In response to Jerry

I will quote myself:

Internal VPN Users can access Full-Tunnel and all internal subnets and some pre-defined internet destinations with VPN GW NAT.

External VPN Users can access Split-Tunnel and just some pre-defined internet destinations with VPN GW NAT (the specific locations do source filtering and only allow the Customer Companies Subnet to access hence GW has to NAT)

All of this on only one Security Gateway

Internal VPN are employees, External VPN are contractors but everyone will obviously be accessing from the internet.

G_W_Albrecht
Legend Legend
Legend
‎2019-06-05 03:06 AM
In response to cezar_varlan1

What about using Remote Access Roles in your Remote Access Control Policy ? You can use different rules to control access of User Groups, see Remote Access VPN Administration Guide R80.20 p. 28f for details !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-21 03:43 PM

I'm not sure you need multiple remote access communities if you set the policy up correctly.

That said, I seem to recall someone actually managed to create a second Remote Access community (though I'm not sure how):

https://community.checkpoint.com/thread/10089-multiple-remote-access-communities-gw-version 

As far as I know, if you need different pools for different users, you need to edit ipassignment.conf.

Likewise, the other change you mentioned if you want different "split tunnel" settings.

0 Kudos
Gabriele_Di_Gia
Participant
‎2019-06-05 02:20 AM

HI Nickel.

i'm using an R80.10 vsx GW, and an external MGMT, I try so create a new vpn RemoteAccess community, by clicking on the defoult RemoteAccess and then chosing "new".

So I create a new RemoteAccess.. but it don't works....

i can connect to my second vpn gw installed on a second phisical geographic site, only if I add my second vpn gw on the default RemoteAccess community, otherwise i cannot connect.

 

0 Kudos
PointOfChecking
Collaborator
‎2023-04-20 02:42 AM
In response to Gabriele_Di_Gia

"i can connect to my second vpn gw installed on a second phisical geographic site, only if I add my second vpn gw on the default RemoteAccess community, otherwise i cannot connect."

 

Hi, I know this was a while ago, but if I add the 2nd gateway to the default RemoteAccess community, then the users can connect, but cannot access any network facilities.  How did you get around this issue?

 

Thanks.

 

0 Kudos
Ruan_Kotze
Advisor
‎2023-04-20 06:40 AM
In response to PointOfChecking

I'd like to see your trac.log - It might be that you have overlapping encryption domains between the two gateways.  Have a look at sk78180.

0 Kudos
PointOfChecking
Collaborator
‎2023-04-25 01:12 AM
In response to Ruan_Kotze

Where can I find the trac.log? find / -name trac.log returns nothing.

SK78180 directs me to disable MEP.  Is that correct?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events