This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nuggeteer
Contributor
Saturday
Jump to solution

SSL VPN Not Running On External Interface

I'm trying to setup an SSL VPN but the SSL VPN portal is only running on my Internal interface, not the External interface. I have my WAN IP configured as the URL to use for the SSLVPN. I have also verified within the IPSec VPN tab under Link Selection it's set to use the WAN IP as well. However, the SSL VPN portal only runs on the Internal interface. 

The only thing I can think of is that within the Smart Console my gateway shows up using the Internal IP address of my LAN. Is there a way to force the SSL VPN to use the External interface?

Labels
0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

Screenshot_1.png

Anyway, hit me up directly and can send you zoom.

Andy

View solution in original post

(1)
the_rock
Legend
Legend
yesterday
Jump to solution

Hey guys,

Just to update @Chris_Atkinson , what Bob and I did was below, I just took some basic noted and all worked fine afterwards. I knew it had to be something trivial, but its always good to have working lab to compare it to. Thanks @Nuggeteer for being patient over remote, but glad we sorted it out.

Andy

****************************************

 

remote session notes:

web UI

192.168.100.1:4434, works

192.168.100.1/sslvpn works

192.168.121.211/sslvpn gives web ui, NOT ssl vpn page

we changed inside layer to internal and installed policy


same issue

realized mgmt server object was natted to 192.168.121.211, disabled it, install policy -> good now

 

*************************************************

 

 

View solution in original post

0 Kudos
16 Replies
Chris_Atkinson
Employee Employee
Employee
yesterday
Jump to solution

Which options are currently set here:

Gateway/cluster object - Mobile Access - Portal Settings - Accessibility - Edit

CCSM R77/R80/ELITE
0 Kudos
Nuggeteer
Contributor
yesterday
In response to Chris_Atkinson
Jump to solution

First off, this is in a lab environment. 

My gateways external IP is 192.168.121.211 and the internal IP is 192.168.100.1 and it's the gateway for the 192.168.100.0/24 network. My SMS is 192.168.100.10.

--> Under Gateway/cluster object - Mobile Access - Portal Settings - Accessibility - Edit: set to "Through all interfaces".

NOTE: When I try to access hxxp://192.168.121.11/sslvpn I get the management interface, not the SSL VPN interface. If I go to hxxps://192.168.100.1/sslvpn I get the SSLVPN page.

Also, within my gateway, the "Platform Portal" Main URL is set to "https://192.168.121.211. I had it set to https://192.168.100.1 and the SSL VPN didn't work via the external IP with that either so I'm at a bit of a loss here.

Thank you for your help!

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
yesterday
In response to Nuggeteer
Jump to solution

Try setting the platform portal URL to the internal IP on a different port e.g. https://192.168.100.1:4434 and install policy afterwards

CCSM R77/R80/ELITE
0 Kudos
Nuggeteer
Contributor
yesterday
In response to Chris_Atkinson
Jump to solution

I changed my platform portal to what you suggested and when I visit hxxps://192.168.121.211/sslvpn I still get the management portal page and not the SSL VPN page. 

Is there anything else I can look at? Any logs?

0 Kudos
Nuggeteer
Contributor
yesterday
In response to Chris_Atkinson
Jump to solution

Any other thoughts? I've enabled the Mobile Access blade for SSL VPN and RA VPN (client) for workstations. Neither one will work when trying to connect to the external interface. 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

If you are allowed to do remote, happy to try help, since its a lab.

Let me know.

Andy

0 Kudos
Nuggeteer
Contributor
yesterday
In response to the_rock
Jump to solution

Absolutely! If you're willing. I'm stuck at this point and not sure what else to do. 

the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

Screenshot_1.png

Anyway, hit me up directly and can send you zoom.

Andy

(1)
Nuggeteer
Contributor
yesterday
In response to the_rock
Jump to solution

For anyone who comes across this and wants to know what the root cause of the problem was. I had my SMS server using a static NAT on the SG external IP and this was causing the NAT to take precedence over my SSL VPN connect. Many thanks to Andy for his assistance !!!!!!!

 

(1)
the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

No problem bud, glad to help, any time!

Andy

 

you-have-check-7a1a9216aa.jpg

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

I totally agree with last thing Chris said. Thats how I did it in my lab and workes perfectly fine.

Andy

0 Kudos
Nuggeteer
Contributor
yesterday
In response to the_rock
Jump to solution

What guide did you use to setup the SSL VPN? I've seen so many YouTube videos and they're all different. Is there updated CP documentation that you followed? 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

Nope, never followed any guide, I have it all in my brain, since I did it who knows how many times lol

I took some screenshots for you.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

 

Screenshot_4.png

0 Kudos
Nuggeteer
Contributor
yesterday
In response to the_rock
Jump to solution

Do I need an access control policy rule to allow it? I have one for RA-VPN (client),  but not one for SSL VPN users. 

However, my RA VPN (client) won't connect when I try to create a new site so it's like the SSL VPN daemon isn't listening at all. 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Nuggeteer
Jump to solution

To just open the page, no, you dont need rule for that.

Andy

0 Kudos
the_rock
Legend
Legend
yesterday
Jump to solution

Hey guys,

Just to update @Chris_Atkinson , what Bob and I did was below, I just took some basic noted and all worked fine afterwards. I knew it had to be something trivial, but its always good to have working lab to compare it to. Thanks @Nuggeteer for being patient over remote, but glad we sorted it out.

Andy

****************************************

 

remote session notes:

web UI

192.168.100.1:4434, works

192.168.100.1/sslvpn works

192.168.121.211/sslvpn gives web ui, NOT ssl vpn page

we changed inside layer to internal and installed policy


same issue

realized mgmt server object was natted to 192.168.121.211, disabled it, install policy -> good now

 

*************************************************

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events