This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PointOfChecking
Collaborator
‎2021-04-16 03:32 AM
Jump to solution

Remote VPN client presents GW IP to other servers in the network

Sorry if this has already been posted, but I can't find anything posted nor any admin guide which explains it.

We've got the Remote VPN set up, and clients connected successfully and working.

 

However, when we check logs of other servers, we cant see the IP of the remote client, just the Cluster IP (Main IP) of the GW.

 

So for example:

 

LAN Network address: 192.168.0.0/22 (192.168.0.0 - 192.168.3.255)

VPN Network Range: 192.168.2.0/24 (192.168.2.0 - 192.168.2.255)

GW (Main IP): 192.168.0.1

Proxy Server: 192.168.0.100

Remote Client IP: 192.168.2.1

LAN Client IP: 192.168.0.5

Both clients visit: www.website.com

 

When I check the proxy log, I can see 2 connections visiting www.website.com

- LAN Client IP: 192.168.0.5

- Remote Client IP: 192.168.0.1

 

So I can see clearly which LAN client accessed www.website.com, but I can't see which of the 254 remote Clients accessed that website, just someone on the VPN.

 

Is there a way to present the remote clients address (e.g. 192.168.2.1) to the proxy server?

Note that the LAN address is 192.168.0.0/22 which covers all addresses including those in the VPN range (192.168.2.0/24)

 

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-04-22 12:44 PM
In response to PointOfChecking
Jump to solution

What is the precise network configuration between the LAN clients and the gateway?
Sounds like it's really a flat network (i.e. the gateway and the LAN clients are on the same network), is that correct?

In which case, that route is one way to solve it.
Proxy ARPs on the gateway are another.
I don't believe either of these things happen automatically as the Office Mode subnet is usually on a different segment from the directly connected LAN. 

View solution in original post

10 Replies
the_rock
Legend
Legend
‎2021-04-16 05:18 AM
Jump to solution

That does not sound right...what is the remote access ip range you assigned for the clients? I had never seen this issue in all my years with CP.

0 Kudos
PointOfChecking
Collaborator
‎2021-04-16 05:41 AM
In response to the_rock
Jump to solution

Hi the_rock.

 

Sorry, I may have used the wrong terminology:

"VPN Network Range: 192.168.2.0/24 (192.168.2.0 - 192.168.2.255)"

The "VPN Network Range" is the "Remote access ip range".

 

Just to clarify:

- we're using R80.40 for MGMT and GWs

- from Logs and Monitor in SmartConsole I can see the different source IPs and Access Roles pick up correct LDAP information

 

- The problem is I can only see GW (MAIN IP) when checking logs of other third party servers (in the example in the OP, it was the proxy server in use)

0 Kudos
Tobias_Moritz
Advisor
‎2021-04-16 06:22 AM
In response to PointOfChecking
Jump to solution

I would check the NAT rules (manual and implicit ones).

Check the Check Point logs again and watch for xlate information.

It's definitly possible to not hide NAT vpn client traffic behind gateway when using Office Mode.

PointOfChecking
Collaborator
‎2021-04-16 08:00 AM
In response to Tobias_Moritz
Jump to solution

There aren't any NAT rules apart from the automatically created hide rule for the office mode range.

Based on your comment, I thought this might be the problem, so I added a rule higher above for:

 

SRC:OfficeMode DST:VPNDOMAIN  any service  =original =original =original

This didn't work, but made things worse, we lost all connections to the office.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-16 09:36 AM
Jump to solution

What precisely was the VPN client installed as?
Can you confirm that access to other resources works as expected?
Have you used fw monitor to see what’s happening when the Remote Access client is trying to access something?

0 Kudos
PointOfChecking
Collaborator
‎2021-04-19 02:19 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

 

The client has been installed as Checkpoint Mobile

 

Access from the remote client to other resources in the Encryption domain work as expected.

All connections from the Encryption domain to the remote VPN addresses are failing.  They're not even appearing in the logs.

I've attached a snippet of the Fw Monitor below for connections from remote client to LAN:

eth1 - LAN

eth4 - external interface

 

[vs_0][fw_4] eth4:i[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54811
[vs_0][ppak_0] eth4:iD[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54812
[vs_0][ppak_0] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54812
[vs_0][fw_4] eth4:I[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54811
[vs_0][fw_4] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54812
[vs_0][fw_4] eth4:I[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54812
[vs_0][fw_4] eth1:o[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54811
[vs_0][fw_4] eth1:o[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54812
[vs_0][fw_4] eth1:I[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=43340
[vs_0][fw_4] eth1:o[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=43340
[vs_0][ppak_0] eth1:Oe[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=43340
[vs_0][fw_4] eth1:O[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=43340
[vs_0][fw_4] eth1:Oe[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=43340
[vs_0][ppak_0] eth4:iD[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54813
[vs_0][ppak_0] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54813
[vs_0][fw_4] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54813
[vs_0][fw_4] eth4:I[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54813
[vs_0][fw_4] eth1:o[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54813
[vs_0][fw_4] eth1:I[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=1350 id=60780
[vs_0][fw_4] eth1:I[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=388 id=60781
[vs_0][fw_4] eth1:o[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=1350 id=60780
[vs_0][fw_4] eth1:O[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=1350 id=60780
[vs_0][fw_4] eth1:o[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=388 id=60781
[vs_0][fw_4] eth1:O[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=388 id=60781
[vs_0][ppak_0] eth1:Oe[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=1350 id=60780
[vs_0][ppak_0] eth1:Oe[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=388 id=60781
[vs_0][fw_4] eth1:Oe[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=1350 id=60780
[vs_0][fw_4] eth1:Oe[44]: 192.168.0.100 -> 192.168.2.1 (TCP) len=388 id=60781
[vs_0][ppak_0] eth4:iD[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54814
[vs_0][ppak_0] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54814
[vs_0][ppak_0] eth4:iD[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54815
[vs_0][ppak_0] eth4:i[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54815
[vs_0][ppak_0] eth4:iD[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54816
[vs_0][ppak_0] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54816
[vs_0][ppak_0] eth1:Oe[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60782
[vs_0][ppak_0] eth1:Oe[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60783
[vs_0][fw_4] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54814
[vs_0][fw_4] eth4:I[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54814
[vs_0][fw_4] eth4:i[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54815
[vs_0][fw_4] eth4:I[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54815
[vs_0][fw_4] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54816
[vs_0][fw_4] eth4:I[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54816
[vs_0][fw_4] eth1:o[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54814
[vs_0][fw_4] eth1:o[44]: 192.168.2.1 -> 192.168.0.100 (TCP) len=47 id=54815
[vs_0][fw_4] eth1:o[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54816
[vs_0][fw_4] eth1:I[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60782
[vs_0][fw_4] eth1:o[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60782
[vs_0][fw_4] eth1:O[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60782
[vs_0][fw_4] eth1:I[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60783
[vs_0][fw_4] eth1:Oe[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60782
[vs_0][fw_4] eth1:o[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60783
[vs_0][fw_4] eth1:O[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60783
[vs_0][fw_4] eth1:Oe[40]: 192.168.0.100 -> 192.168.2.1 (TCP) len=40 id=60783
[vs_0][ppak_0] eth4:iD[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54817
[vs_0][ppak_0] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54817
[vs_0][fw_4] eth4:i[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54817
[vs_0][fw_4] eth4:I[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54817
[vs_0][fw_4] eth1:o[40]: 192.168.2.1 -> 192.168.0.100 (TCP) len=40 id=54817
[vs_0][ppak_0] eth4:iD[44]: 192.168.2.1 -> 172.21.1.10 (UDP) len=76 id=51122
[vs_0][ppak_0] eth4:i[44]: 192.168.2.1 -> 172.21.1.10 (UDP) len=76 id=51122
[vs_0][fw_4] eth4:i[44]: 192.168.2.1 -> 172.21.1.10 (UDP) len=76 id=51122

 

When I ping from LAN to remote client I get the below:

LAN PC: 192.168.0.5

Remote Client: 192.168.2.1

[vs_0][ppak_0] eth1:i[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278
[vs_0][fw_0] eth1:i[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278
[vs_0][ppak_0] eth1:Oe[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278
[vs_0][fw_0] eth1:I[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278
[vs_0][fw_0] eth1:o[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278
[vs_0][fw_0] eth1:O[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278
[vs_0][fw_5] eth1:Oe[44]: 192.168.0.5 -> 192.168.2.1 (ICMP) len=60 id=9278

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-19 08:41 AM
In response to PointOfChecking
Jump to solution

If I'm reading this right, it's getting dropped before the big O on the inbound direction. 
What does an fw ctl zdebug drop | grep client-ip says is the reason for this?
If nothing is shown, I recommend a TAC case for further troubleshooting.

0 Kudos
PointOfChecking
Collaborator
‎2021-04-22 03:58 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

 

So we found that it was a routing issue.  We had to add a route to the hosts on the LAN to point to the GW.

192.168.2.0/24 -> 192.168.0.1

 

The question is, as the LAN network range is 192.168.0.0/22 (which includes 192.168.0.0 - 192.168.3.255 addresses)

This covers the VPN network range 192.168.2.0/24 (192.168.2.0 - 192.168.2.255).

 

Why do I need to add the route?

 

We currently have a VPN server from another manufacturer where the config works without having to add the route.

When I ping a host connected via that server I'm able to see the remote client added to my ARP table.

When I ping a host connected via the Checkpoint VPN, (after adding the route to my PC), the ping works, but the remote client does not appear in my ARP table.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-22 12:44 PM
In response to PointOfChecking
Jump to solution

What is the precise network configuration between the LAN clients and the gateway?
Sounds like it's really a flat network (i.e. the gateway and the LAN clients are on the same network), is that correct?

In which case, that route is one way to solve it.
Proxy ARPs on the gateway are another.
I don't believe either of these things happen automatically as the Office Mode subnet is usually on a different segment from the directly connected LAN. 

PointOfChecking
Collaborator
‎2021-04-23 12:14 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Appreciate your time with this question.

 

It is indeed a flat network.  We've scheduled a change to update the routing on all the routers next Monday.  So should have this resolved.

 

Thanks for the tip about Proxy ARP, that might have been an easier and quicker solution.  Thanks again!

 

EDIT:

Just tried the Proxy ARP and can confirm it works, but there isn't an option to configure for the entire subnet: 192.168.2.0/24

If we were to use this solution, we'd have to manually add Proxy ARP records for all 254 IP addresses.

 

May be in new update, we could request to add the facility to configure Proxy ARP for entire subnets?  Or would there be problems doing that?

 

Thanks again

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events