Remote Access to Internal Sources Work but not to ...

OrkhanRustamli · ‎2020-04-03

Hello,

I have recently installed new CP15000 appliance on our new office. I enabled Remote Access VPN following same config we have on other offices. The problem is I can access internal resources but cannot access internet after I connected to VPN. HUB mode if checked, Policy for Remote Community is Any Any Permit for testing, Made Hide nat for RA Pool object, DNS added on Office Mode configs but still no result. Same configs are working in other officess.

For now version of appliance is R80.20, will upgrade weekends. What can be cause?

Thanks in advance!

Vladimir · ‎2020-04-03

Please:

1. Confirm that the split tunneling is disabled

2. Create additional access rule for RA pool net Any Any Permit

3. NAT rule for RA pool net Internal nets original original

4. Nat rule Internal nets RA pool net original original

let me know what you are logging when trying to access the Internet using: icmp to IP and URL.

OrkhanRustamli · ‎2020-04-06

Hello Vladimir,

1) If you mean Hub Mode in Checkpoint by "Disabling Split Tunneling", then HUB mode is checked.

2)There is already Any Any Permit rule with log enabled. When I ping internal resource I see log in SmartView but when I ping for example 8.8.8.8, ping doesn`t work and I do not see any log

3)I have Hide internal behind this gateway checked on Gateway configuration and more, I have added hide nat to VPN Pool network object which created "no nat" automatically.

Vladimir · ‎2020-04-06

1, From connected client, run traceroute to 8.8.8.8 and to internal hosts, compare the output to see if it is a routing issue.

2. Enable cleanup logging and implied rules logging and try again. See if the drops are now visible and what they are telling us.

Maarten_Sjouw · ‎2020-04-03

make sure that the 2 NAT rules are not in each others way, Hide NAT and No NAT.
Also if you have installed the E80.xx client and installed it as a SecureClient, you also install the local firewall. Make sure to disable it or allow the traffic in a Desktop policy.

Regards, Maarten

OrkhanRustamli · ‎2020-04-06

Hello, I configured nat from VPN Pool Network Object which created No Nat and Hide NAT automatically. I do not think that it is related to Firewall of Desktop policy because I connect to other gateways with same applicaiton and Internet works fine.

Maarten_Sjouw · ‎2020-04-06

NAT rules are not hidden. So make sure you have a NAT rule for outbound traffic, also check the logs and add the Xlate source and Xlate destination columns to your log view.

Regards, Maarten

OrkhanRustamli · ‎2020-04-06

@Vladimir @Maarten_Sjouw Actually all of them were in place. It is really weird because I could solve problem by following way: So previously for playing HUB mode for Linux Extender users, I created one group with 0.0.0.0 - 255.255.255.255 range and assigned it to some gateway where Linux users need to be connected as VPN Domain for Remote Community. For testing I just assigned same Domain to this gateway as well, and it started to work. It is really confusing because in some gateways without this domain, internet traffic still works.

Maarten_Sjouw · ‎2020-04-06

Do keep in mind there are 2 settings for Hub mode that you need to set, the first one is in Global Properties under Remote Access - Endpoint Connect, option Route all traffic to gateway = Yes
The second is on each gateway in \VPN clients - Remote Access - Hub mode Configuration tick the box in Allow VPN clients to route traffic through this gateway.

Regards, Maarten

Vladimir · ‎2020-04-06

Uh,, The "Linux Extender" is a new piece of the puzzle, I believe. In the future, I'll be asking to clarify the client OS and the connection method.

I'd like to ask you to test it again, without the 0.0.0.0-255.255.255.255 in Remote Access Encryption Domain and check the routes on the client. If I am guessing right, you will not see the route 0 from VPN.

Are you a member of CheckMates?

Remote Access to Internal Sources Work but not to Internet