This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
OmarDafiri
Contributor
‎2023-06-01 02:39 PM
Jump to solution

Remote Access VPN on Gateways behind another firewall

Hello everyone,

 

I have a setup which is the following:

  • Two SG R81.10 on High Availability Mode.
  • External IP addresses are private IP's 10.11.103.245 and 10.11.103.246 and the VIP is 10.11.103.1.

The ISP router is connected to another firewall (Fortigate) which routes traffic to the VIP (10.11.103.1).

My default route is 10.11.103.254 (which is the Fortigate private interface IP address), the internet access works perfectly.

My concern is to setup a Remote VPN access using the public IP address. Is Statically NATed IP address is the best option I have under Link Selection configuration ? (I have tried it but the VPN lient doesn't recognize the site ), or there is another option for me I can use to configure it?

 

Thank you in advance

0 Kudos
1 Solution

Accepted Solutions
OmarDafiri
Contributor
‎2023-06-15 02:48 AM
Jump to solution

Hello everyone,

Thank you so much for your suggestions and your feedback, and am sorry for my late response.

We managed to fix the issue. Indeed, the Fortigate guy didn't perform a Dnat to check point VIP, that's why it didn't work.

Once he perfomed it, the client VPN worked perfectly.

 

Thank you again for your assistance and your help.

 

Regards,

DAFIRI Omar

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2023-06-01 03:18 PM
Jump to solution

Link Selection to a static IP (the public NAT) is the correct configuration.
Have you done any packet captures to confirm the Fortinet box is forwarding all the relevant traffic to the Check Point gateway?

0 Kudos
the_rock
Legend
Legend
‎2023-06-01 03:31 PM
Jump to solution

Sounds like you have the right config already. As phoneboy said, maybe do some packet captures to see what gives. Some examples below (lets just assume client IP is 1.2.3.4 and gw ip is 4.3.2.1)

On gateway (expert mode)

fw ctl zdebug + drop | grep 1.2.3.4

fw monitor -e "accept host(1.2.3.4) and host(4.3.2.1);"

fw monitor -e "accept port(18234);"    (18234 is tunnel test port)

fw monitor -F "1.2.3.4,0,4,3,2,1,0,0" -F "4.3.2.1,0,1.2.3.4,0,0"

Idea in last command is this "srcIP,srcPort,dstIP,dstport,protocol" and then 2nd one is just other way around

Let us know what you get.

Hope those help.

Im fairly experienced in Foirtinet (though nothing like few of my colleagues lol), but you can also do packet capture there as well. I know in any 7.x.x version, its available via GUI, or just via cli:

diag sniffer packet any host x.x.x.x 4 50

 

This is in latest 7.4.0 version

Andy

 

Screenshot_1.png

 

0 Kudos
OmarDafiri
Contributor
‎2023-06-15 02:48 AM
Jump to solution

Hello everyone,

Thank you so much for your suggestions and your feedback, and am sorry for my late response.

We managed to fix the issue. Indeed, the Fortigate guy didn't perform a Dnat to check point VIP, that's why it didn't work.

Once he perfomed it, the client VPN worked perfectly.

 

Thank you again for your assistance and your help.

 

Regards,

DAFIRI Omar

the_rock
Legend
Legend
‎2023-06-15 03:12 AM
In response to OmarDafiri
Jump to solution

Excellent! 👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events