- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: Remote access users access resources behind si...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote access users access resources behind site to site tunnel
Hi,
I am trying to solve an issue where i need remote access users to be able to connect to resources behind a site to site tunnel.
Remote users connect to on premises Check Point cluster (R81.20 Take26) using Check Point Mobile client and can access resources in on premises datacenter.
But they also need to access resources that is located on the other end of an site to site tunnel.
I saw the Remote Access community, but i cannot add this interopable device there. I suspect it must be an Check Point host for that.
What can be done to enable routing between these two vpn domains ?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are gateways that directly terminate Remote Access connections.
What you need to modify is the Remote Access Encryption Domain, which is modified in the Gateway object:
The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't add the Interoperable Device, but you add the networks behind that device to the Remote Access Community.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The RemoteAccess community only has two options:
Add participating gateway and Participating User Groups
So i do not know where i should add these networks ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are gateways that directly terminate Remote Access connections.
What you need to modify is the Remote Access Encryption Domain, which is modified in the Gateway object:
The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Phoneboy 🙏 appreciate your help 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I tested in my lab by creating a group with the the local and remote subnets of the VPN tunnel; and adding the group to the VPN domain of the "RemoteAccess "community. It was OK but it wasn't enough.
In order to make it work, I had to add the Office Mode subnet (CP_default_Office ...) to the local VPN domain because I was getting the following log :
'Encryption Failure: according to the policy the packet should not have been decrypted'
So I created a group with the local subnet and the Office Mode subnet :
Then, I had to authorize the Office Mode subnet, on the remote gateway because the packets finished in the cleanup rule of the remote gateway.
This way from the remote client (on remote access), I was able to access to a PC on the remote site through the VPN tunnel
I hope this will help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SK 36510
Remote-Access to S2S Vpn
- Define both the Checkpoint side domain and the Peer Gateway Domains with Group objects
2.On the Checkpoint side gateway, Put the Office mode IP range into the Gateway's Encryption domain. (NOTE: If the office mode IP range is going to be sent over the tunnel, make sure the Peer expects to see this network range(policy rule, etc). If using a Hide nat, add both Office mode and NAT IPs to the Checkpoint side gateway's domain)
- Create a New Group Object with BOTH the checkpoint and the Peer's Encryption Domain into the New Group.
- Manually define the Remote Access with the New Group
- Global Properties >> Remote Access Main page >>> check the box for "Enable Back connections (from Gateway to client)"
6.Install policy
===============
Double check,
>the S2S VPN community page: Un-check box for Disable NAT inside the community (Only if NAT is needed)
>May need to add a NO-NAT rule for the two way traffic, Office Mode IP to Peer's network and Peer's network to Office Mode.
**unless OM is hide NATing**