This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LifeisGood
Explorer
3 weeks ago

VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

Hello,

We have a CP VPN connected to CP FW. There is a DMZ  (10.10.6.0/24 with 10.10.6.10 as the DMZ interface IP) on the FW. My VPN client got a route from the VPN gateway to route everything to the VPN gateway's external interface (84.84.84.11). See attached topology for details. 

My VPN client can reach the DMZ interface IP on the FW (10.10.6.10). However, the client cannot reach any IPs (e.g. 10.10.6.38) in the DMZ subnet. If I add a host route on the VPN appliance (10.10.6.38/32 --> 10.10.6.10), then the VPN client can reach the host. Could someone help me understand why I have to add host route and how to avoid add 200+ host route for the DMZ hosts?

Preview file
32 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
3 weeks ago

Did you configure the Remote Access Encryption Domain to include the relevant DMZ networks?

0 Kudos
LifeisGood
Explorer
3 weeks ago
In response to PhoneBoy

Yes.

0 Kudos
Duane_Toler
Advisor
3 weeks ago

Is the VPN gateway 1 hop behind the firewall gateway?  Or is it parallel, with the VPN gateway's external interface sharing the same subnet as the firewall gateway?  Your network addressing makes it look parallel.  Your diagram also suggests the VPN gateway's internal interface has to pass traffic back through the firewall gateway on another interface (which is fine).

In addition to the message from PhoneBoy (check his suggestion first), this also sounds like you are missing a return route on the firewall gateway for the office mode subnet (172.10.0/22).  I suspect your firewall gateway, or perhaps the VPN gateway, is performing NAT and you aren't expecting it.  The firewall gateway will see source IP packets of 172.10.0.0/22, so they need to be returned to the VPN gateway.  You can see this with fw monitor.  You can run this command on both gateways, which will give you a hint:

fw monitor -F 172.20.1.2,0,0,0,0 -F 0,0,172.20.1.2,0,0

You can also check your logs and you will see if NAT is being applied.

Similarly, make sure your interior network (10.10.6.0/24) has either a default route, or some type of route, to also send packets for 172.20.0.0/22 back to the firewall gateway.

0 Kudos
LifeisGood
Explorer
3 weeks ago
In response to Duane_Toler

Per CP Support, FW and VPN appliances share interfaces, and all the addresses in those shared subnets on the FW side are considered in the same layer 2 network. That's why the class C route I put in place does not do anything and more specific host routes are working fine. The workaround is to break class C into specific /25 routes. This work around worked. Thank you all for your input. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events