This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cisco59
Explorer
‎2020-08-03 03:42 AM

Remote Access VPN multiple pools and IP assignment

Dear All,

 

I actually have a R80.20 cluster with 2 gateways. 

 

All employees are allowed to have a remote access using  Checkpoint Mobile. 

When they do so, they get a 172.16.10.0/23 address.

 

First problem : 

I wanted to allocate few IP addresses in this range. I did it by modifying the ipassignment.conf file .

In the beginning it was working fine. But, I then realized the IP address was given to another employee who has connected earlier in the day...how is it possible to overwrite the reservation like that ? 

 

Second problem : 

I decide to allocate static IP address for the concerned users in another subnet (let's say 10.x.x.x/24), so that I'm not bothered by the first problem.

The problem is, as soon I'm connected by VPN with the new IP address I set, I get disconnected 30 seconds later .

In the logs, I can see that my traffic  links with the external interfaces but all the packets get dropped with "Address spoofing" error message. In fact, my traffic isn't listed as "VPN" feature. 

 

How could I fixe one or both problems ? 

 

Thanks in advance, 

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-08-04 08:20 PM

If you want to assign a specific user a specific IP, it cannot be in your general Office Mode range, at least as I understand it.

0 Kudos
MartinTzvetanov
Advisor
‎2020-08-07 05:26 AM

First problem:

Networks in ipassignment.conf must be different than the Office mode network. 

 

Second problem:

You have to add the network that you give for VPN users in the SmartConsole->GW options->Network Management->your external interface, facing VPN users->Modify topology->Don't check packets from, or just disable anti-spoofing on the external interface (not so secure).

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top